Analysis
-
max time kernel
0s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 13:48
Static task
static1
Behavioral task
behavioral1
Sample
03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe
Resource
win10v2004-20241007-en
General
-
Target
03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe
-
Size
2.5MB
-
MD5
c4b5fdf92ad5b5e7d8d8df0648cb8044
-
SHA1
54189d8c5cba249b57fd6a63e35f8d04675478f4
-
SHA256
03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c
-
SHA512
5ff11d8e2c83f5176499815b04f2ca2164cdd4933a5e359f97f10b0ac3899b59cab642a72a26a12c8eeba89d398651a550d79e0d5ca9928de00b240a0d85b84e
-
SSDEEP
24576:bCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHv:bCwsbCANnKXferL7Vwe/Gg0P+WhViDn
Malware Config
Signatures
-
Gh0st RAT payload 14 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca2-5.dat family_gh0strat behavioral2/files/0x0007000000023ca2-9.dat family_gh0strat behavioral2/memory/4072-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3488-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2596-48-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2596-45-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2596-52-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2596-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2596-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3488-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4072-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4072-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023ca2-8.dat family_gh0strat behavioral2/files/0x0007000000023ca2-56.dat family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240623421.txt" R.exe -
Executes dropped EXE 4 IoCs
pid Process 1752 R.exe 4072 N.exe 3488 TXPlatfor.exe 2596 TXPlatfor.exe -
Loads dropped DLL 2 IoCs
pid Process 1752 R.exe 3604 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\240623421.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe -
resource yara_rule behavioral2/memory/4072-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4072-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-48-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-45-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-52-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2596-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4072-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4072-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1564 PING.EXE 1264 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1564 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4072 N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1752 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 83 PID 1052 wrote to memory of 1752 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 83 PID 1052 wrote to memory of 1752 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 83 PID 1052 wrote to memory of 4072 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 86 PID 1052 wrote to memory of 4072 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 86 PID 1052 wrote to memory of 4072 1052 03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe 86 PID 4072 wrote to memory of 1264 4072 N.exe 88 PID 4072 wrote to memory of 1264 4072 N.exe 88 PID 4072 wrote to memory of 1264 4072 N.exe 88 PID 3488 wrote to memory of 2596 3488 TXPlatfor.exe 89 PID 3488 wrote to memory of 2596 3488 TXPlatfor.exe 89 PID 3488 wrote to memory of 2596 3488 TXPlatfor.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe"C:\Users\Admin\AppData\Local\Temp\03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1264 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1564
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵PID:4256
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240623421.txt",MainThread2⤵PID:2852
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Executes dropped EXE
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD51d96fe2f0b12c9c276b71398a35b0588
SHA1853be9fa1eec19905f442e8bffcbc0105ebae6c0
SHA2567a8b15dba469bfbd770701312b657c079a276252a7677cb667f1b481768684d2
SHA512a8743e0d7a22387621e2acd6dd1ea06ddd448b3ba0c888da587f727ff1fccd3fd363951899bfe6e25d711abe7a9845e14af5ba038b81bb6f04a0f32953ccf70e
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
576KB
MD5038f250b9e8c049afe63178a1f927f85
SHA193091bcc8a32b71e95980f0305d2f3676582aa51
SHA2569f69f32f834ed11c9aab1905ea37ddd814ec528b3705837dcbbc4efd6a7e5cca
SHA51281994a2c9030fe6d330b220b08d8f5a7b797dd0f345385564b57a105c51f508517bfa5e72241c7a095a47c12ff38428c8d180824fcc8594f926848b32a52bde5
-
Filesize
327KB
MD543795e9d2244e546b8ea64a91a9ac0a0
SHA10a177c8e4a33d346fe47154f49c9fd5109182ec5
SHA256a55f30fba1ff7c341360adccb97a8c98ffca92800b034197de5bc1b6da6ff0e3
SHA512be74e23372720953eb1c39706990d67733d6fdfe72ae67fb2a442fd47c28446faacaed67472415c08b9a5bda574353267933a8f03aba7395acf7c9f0ea9d6a4c
-
Filesize
595KB
MD5353687ca67d0a9a98c36f34d58ae1832
SHA1c9a9023e1ea02e71e4133e72f0359635a5597fd0
SHA256f368bd2a68102acb53286f09fb5bdbc33272f837507bb5a018120eb5cd74dbfb
SHA512075ac41a3676a77e1e31ddbf55a9f19410a6e85c07a2b717cfc03ab700857fb5b75464942a672b9ee9b9709d1c39872d9086e4d9391b860e6cb5378cbfae8048
-
Filesize
288KB
MD506cfb478cb9d517e415a56bcb7cc6879
SHA16e58a592672147c1a3b89e6046c7c173ef940b04
SHA256ffd6984d52459dcf0830de6dfee32502296c1a2f988e9defe45b3ee6bb5aad77
SHA512f92d08a500c7aa14729a2fcb27cb6ccfa917600bed873bb6e119b537c7d1c7f3c413c2977cd110931f6964d89b0977b98561be9d109097c9b5ac2c61392b3a93
-
Filesize
663KB
MD51ecf0969cdba3d0c375ee4d797f8cf06
SHA12123706589e080376171614e0dd6c4557d8ad491
SHA2568985378daa6b4ecf0e53f11f08ba8945e0a4796d4a8ee86e0b7d1328647829e0
SHA512d8c45df30c8ae97e575be79470141f079e9783e09b58409904ee8ad41a9ea82d51442bc43de24715c3f7dc7b1fb724b5239bc1e73fbc61358bcffcfbb23e1306
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
514KB
MD5e943b1235624ca770fd4b11e0f91fca7
SHA1da981e125b45148559b02c152c6f89d03112ae0e
SHA256a00c82e630a3bdfd611f02a9c714401063c709797041ddeccffcecf91ecb6cc8
SHA5122db8c253cd8bbea5b4c1e481c5222d395a8ec955278c76accb28284febcd1cbb496a0e5d57b6ac46aee4c637a44a2afadbc9087e7ae628b5b241cd5a04b2ffe3