Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 20:50

General

  • Target

    8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe

  • Size

    2.8MB

  • MD5

    b35ba959f3d42c9902336dc2d3a0c9b9

  • SHA1

    bf675713b46652024da9093a6f4fe90a5c7b577f

  • SHA256

    8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e

  • SHA512

    7a8659ba49cbb8bd4c315dd3da4b9bb8d65ae97b391befb57b54ae7e4678d01d380ec5e8c1df1f0cfbd0b60e3dc922a0a5d5d99cd713690ff8e313d244996f80

  • SSDEEP

    49152:NUCCeDMTHzLlCT3ZF4tn+vc2lxehaXGpudG5cJpbhrba:vvMTHdCT3ktnUcixlGKb8

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
    "C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1804
    • \??\c:\windows\system32\cmd.exe
      c:\windows\sysnative\cmd /c "C:\Windows\Temp\SubRangs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\Temp\SubRangs.exe
        C:\Windows\Temp\SubRangs.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\Temp\Internet Explorer.exe
          "C:\Windows\Temp\Internet Explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\Internet Explorer.exe

    Filesize

    1.1MB

    MD5

    cbd351fc93b61ca74898d8183d36d9a2

    SHA1

    3c1ad1055438642571e4160c213bb563085d640c

    SHA256

    ebc9ed2855d5847894414e9e72b729d978d46d8ec81335ae6e1fc3432a838069

    SHA512

    ee4f6897c91e37571d8c1c929593f7aecfbaad5aa6ca896a035203df285d1bc33f3c042f5850e5433d7c599f33371b6de0c527787abc93c581d27d8b190224d3

  • C:\Windows\Temp\SubRangs.exe

    Filesize

    666KB

    MD5

    a48c8e538d62c65ca94d7651f1364f37

    SHA1

    41a9fe6d151b2880cc4ea37885c4430d353e8159

    SHA256

    e4e34957dfa20c6cd73cc5e1a4d800079d3eeab4899cf2e72cb876da662179ec

    SHA512

    cf900db3656f47ae5c78a1831647e570967e1011a0f50db47ef99438293a071b8e3eb9b1bcf32f393a9d32ff31e8176b9f0da4fd59dca99777f2160b11f2dd79

  • \Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr

    Filesize

    1.2MB

    MD5

    a6a397b67ebac717e7ec095bf9b597ee

    SHA1

    80c7459654f3564c0cb74a47398d48e0f02cb82f

    SHA256

    847fbe068ff90112d9b76c04587439ee3a3866d8c60466bb4673491d94ddfd89

    SHA512

    0eb5528a4aad4458feddbefb5347d0e2cd84d6240a341ccc425d6ed98d15d8588d8635f21d30af389a2af5ac9537bea56a1d97530ac90e965989e296f1c5d8c8

  • \Users\Admin\AppData\Local\Temp\E_N60005\shell.fne

    Filesize

    60KB

    MD5

    98174c8c2995000efbda01e1b86a1d4d

    SHA1

    7e71a5a029a203e4ab0afc68eee18c39f4ab4097

    SHA256

    90284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6

    SHA512

    a37059062a99cd2a9fae15850b49068752ccf0be9f1d86c3f812a689b7c4d024771ec2b66adf9ce950bc5b8b117d457aba87d586cf112a1a30239531bfc8cd06

  • memory/2816-17-0x0000000003020000-0x0000000003195000-memory.dmp

    Filesize

    1.5MB

  • memory/2816-4-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2816-10-0x0000000000490000-0x00000000004A5000-memory.dmp

    Filesize

    84KB

  • memory/2816-14-0x0000000003020000-0x0000000003195000-memory.dmp

    Filesize

    1.5MB

  • memory/2816-19-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2864-533-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-541-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-518-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-559-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-519-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-569-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-577-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-521-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-523-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-525-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-527-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-529-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-531-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-18-0x0000000000400000-0x0000000000575000-memory.dmp

    Filesize

    1.5MB

  • memory/2864-535-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-537-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-539-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-20-0x00000000760C0000-0x0000000076107000-memory.dmp

    Filesize

    284KB

  • memory/2864-543-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-545-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-547-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-549-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-551-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-557-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-555-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-553-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-563-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-561-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-565-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-2254-0x0000000002260000-0x00000000023E1000-memory.dmp

    Filesize

    1.5MB

  • memory/2864-579-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-575-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-573-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-571-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-567-0x00000000023F0000-0x0000000002501000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-7809-0x0000000000400000-0x0000000000575000-memory.dmp

    Filesize

    1.5MB