Analysis

  • max time kernel
    139s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 01:59

General

  • Target

    d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe

  • Size

    96KB

  • MD5

    373047647bd25c1d3aa9cd960bcd7af8

  • SHA1

    5436d03709612a6b1aa2ebbc9609de33c34b3260

  • SHA256

    d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da

  • SHA512

    e1ef29b53678bdcf242004cc03494d2b85e16aea86a801ccb000a4e45a0ad2f6448c6426401cd86d3731d1a3aa024c154a8402811ea8b2b97285fa646a86b301

  • SSDEEP

    1536:1kFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9SNsMSaSKd:1WS4jHS8q/3nTzePCwNUh4E99SNiKd

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe
    "C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1360
    • \??\c:\users\admin\appdata\local\jbponnmwwg
      "C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe" a -sc:\users\admin\appdata\local\temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1104
      2⤵
      • Program crash
      PID:4944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1792 -ip 1792
    1⤵
      PID:3944
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 712
        2⤵
        • Program crash
        PID:2424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 4852
      1⤵
        PID:3696
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 840
          2⤵
          • Program crash
          PID:3384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5012 -ip 5012
        1⤵
          PID:1764

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\jbponnmwwg

                Filesize

                22.3MB

                MD5

                a3a4cca0633bcd32b64dc901e15acfa1

                SHA1

                6dacc7d37a799c6866de3979e2624f4fd8019435

                SHA256

                1b33b68f66da95aa654499c06526bfbc9c5676e0c728f80e63d7eb6e1bdec6a2

                SHA512

                6b6be844ca55bf15c7e8ac54845bea1af637b77c39e538a6d61e5dac699ff987f5d3946ec8fc0d7b54e3405aaf6b75aab1c659828fa97fc2e9e541cbb9dd02b3

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                204B

                MD5

                7f06803077c5e2b3179782c5b7e0d909

                SHA1

                44942428883c1e39925973e58e13a88d06967e39

                SHA256

                a6ad0870e1208bbfb8d5de0799147a2675e9b3547335e30c4b46f808cf617959

                SHA512

                2a31ea66bccbf5a6f1f3656844dafe9c27dd030e80ec2d32e4e65cf7e97386cb2311ab56ccfe4777a0e4fee8f8bbbac1d1c0161ea4b6dd3cd08a2bacd7b377bb

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                306B

                MD5

                cb1e5bc3923f7bf8dac79a4a99db7ecb

                SHA1

                4965e83e7541bbc2a8123b2456c1cc56b27b9f6e

                SHA256

                9a1aa771cd016ee97deacc5ad10b8ceec1e3c41bc57d9d0c1a879c44efc130c3

                SHA512

                d2228695b8557caf50d8560abad2e86140f76d4d791b3575c0b3856482ba05973c4f05e65ac91ef0b435eb3064f32fc979550d419d10c944915df9d498f3db31

              • \??\c:\programdata\application data\storm\update\%sessionname%\tdspl.cc3

                Filesize

                22.1MB

                MD5

                7d140cbfb4e3560dc0cf2e3942b4496c

                SHA1

                69d96359a90b4969992c1c9627e2310971945e35

                SHA256

                12b11d170529895116f6b9df3310c2e57768985691f557b2433e9159117f057e

                SHA512

                31fcb21cdbaf39f6a1ae64504b779d3ad5a94e5c9279648aad79a2d4c04dd3ad67f7fe148d0e6d511a7b86335436cea51557d65c6bdd86f45132c4d53049b379

              • memory/1360-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/1360-7-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

              • memory/1360-0-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

              • memory/1792-19-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/1792-17-0x00000000013C0000-0x00000000013C1000-memory.dmp

                Filesize

                4KB

              • memory/4544-8-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

              • memory/4544-16-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

              • memory/4544-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/4852-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                Filesize

                4KB

              • memory/4852-24-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/5012-26-0x0000000001890000-0x0000000001891000-memory.dmp

                Filesize

                4KB

              • memory/5012-29-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB