Overview

overview

10

Static

static

10

0ebfef7d60...7b.exe

windows7-x64

10

0ebfef7d60...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ebfef7d6059b82e87e05a54e80e5a7b.exe

  • Size

    2.6MB

  • MD5

    0ebfef7d6059b82e87e05a54e80e5a7b

  • SHA1

    3c1ab9c072625b9e08b72013967b04bd2e0cb69e

  • SHA256

    4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114

  • SHA512

    a695816e77c3d569ba861fab022035910858cf2db0e15dd2a58398c6f39394add35172ca209de1d0d02019f5f0a4f35beb8e3ea56c4e0c37cb645379d1d9e5c9

  • SSDEEP

    24576:3bsATQUIP6braCWyv6BpHv+LOez9OulOcsV9DK2J2aBcpsam5RvikgJkf:3vbDCv+HOulOcQMYYsP5RviP6

Score
10/10
gh0stratmimikatzcredential_accessdiscoveryevasionpersistencerattrojan

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ebfef7d6059b82e87e05a54e80e5a7b.exe
    "C:\Users\Admin\AppData\Local\Temp\0ebfef7d6059b82e87e05a54e80e5a7b.exe"
    1⤵
    • UAC bypass
    • Server Software Component: Terminal Services DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2396
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >C:\Users\Admin\AppData\Local\Temp\Pass.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Local\Temp\mimikatz.exe
        C:\Users\Admin\AppData\Local\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:848
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\graphicsperfsvcs.dll, XiaoDeBu Graphipcs_PerfSvcs
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3520
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3880,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
    1⤵
      PID:4500

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Server Software Component

    1
    T1505

    Terminal Services DLL

    1
    T1505.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    OS Credential Dumping

    1
    T1003

    LSASS Memory

    1
    T1003.001

    Discovery

    Network Service Discovery

    1
    T1046

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Pass.txt
      Filesize

      610B

      MD5

      e6755266b069eeed568b171f9dd69008

      SHA1

      cd936565bd9838042ab6512836f368d47034ff4c

      SHA256

      d691240500c369458e0f98ca9a9c8df6ad3494f8700bc982f27f3800ab3681d1

      SHA512

      f2884be7017502b76703c11497f82cb29561bf7101f637ab103eefb24538a4fcc438a40f817a7a659a7908936d7d9011d1024573f920cf36bcd2997d2e463d7c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mimikatz.exe
      Filesize

      905KB

      MD5

      50300de5e4786530ea603224ccbcbb02

      SHA1

      d343b0019084de2dd882e92a79a872370bc6028f

      SHA256

      23a243a1ce474c4da90b1003ffcbaf9a3ff25e0787844bfe74c21671fdd8b269

      SHA512

      a41f0e2140046d1074e444881e7b23f3ba79e304acca4df25dcdb522e0a1ef21b5e64245748d359cad18e4966d76fe622cbc8f542ee1cf2a38f9de5971398b8c

      Download Submit

    • \??\c:\windows\graphicsperfsvcs.dll
      Filesize

      104KB

      MD5

      cd1b4e13446adbd451196fc3e7f59e26

      SHA1

      6cd3fd4b54ce0c7109709851781138bbb66eb0aa

      SHA256

      dda0aa71a3aaf64c5de3aade73b3619f5b135d1dee66b88725e5a804272318e3

      SHA512

      2cd76db9207d55d465e36277aaadd9bd5ed8007e8a4aa78027c5d91aa6a9772f271a4f3ae611892497b8b31d35b6e89262eee6c2366ecb04011e43741d35b439

      Download Submit