Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:30

General

  • Target

    ZZZVMP~1.exe

  • Size

    250KB

  • MD5

    a5604e31ed5ae25df2dfe72af47d8e15

  • SHA1

    930320b599e50305475ba3c77f1c84ce234d4fa4

  • SHA256

    edcf12512c0b2cbb1c5680ffd56ea020ac5723e7fcf476272bd20315fa18d6cc

  • SHA512

    8d9936e1599ea1748aae0212a1efa5dbb23365c6cfceba8c2a8f47554e4d5ddcddb317bca4c6489a9e824e064a5d5d3fe0448da54e8029952f747c86daa31346

  • SSDEEP

    6144:q/kuouETjkfHN7VH4tFHpXmLM2vj0jJNbLoJt0wy0Y6Osh:qJ7ETQHfY1FLoJlnHh

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZZZVMP~1.exe
    "C:\Users\Admin\AppData\Local\Temp\ZZZVMP~1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of UnmapMainImage
        PID:1936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe

          Filesize

          198KB

          MD5

          baaa4a7d34833b22d9687e255b7d6de6

          SHA1

          7a8a50882c5f6ead554a6f9c3d0084a2df0bc507

          SHA256

          42e9d01c78c87aac25988c0c9623912e779e7208496e916841fc2b3d56b5e143

          SHA512

          d3260111bc629ee6365df1697c966e15ac9bac847aa6805fde73defe6068c1f8cd6de15ff5d4f7beea8e2b62e957860da8fd69d384bb5a818218ed1af4d95499

        • memory/1936-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1936-25-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1936-22-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1936-19-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1936-16-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1936-14-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1936-12-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2584-30-0x0000000000010000-0x0000000000048000-memory.dmp

          Filesize

          224KB