Analysis

  • max time kernel
    0s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 13:48

General

  • Target

    03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe

  • Size

    2.5MB

  • MD5

    c4b5fdf92ad5b5e7d8d8df0648cb8044

  • SHA1

    54189d8c5cba249b57fd6a63e35f8d04675478f4

  • SHA256

    03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c

  • SHA512

    5ff11d8e2c83f5176499815b04f2ca2164cdd4933a5e359f97f10b0ac3899b59cab642a72a26a12c8eeba89d398651a550d79e0d5ca9928de00b240a0d85b84e

  • SSDEEP

    24576:bCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHv:bCwsbCANnKXferL7Vwe/Gg0P+WhViDn

Malware Config

Signatures

  • Gh0st RAT payload 14 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe
    "C:\Users\Admin\AppData\Local\Temp\03ae5aaef1dc79c45eedd14698e221533735d829bf172cbd1049219e60e1ff0c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1752
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1264
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1564
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:4256
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3604
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240623421.txt",MainThread
        2⤵
          PID:2852
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -auto
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3488
        • C:\Windows\SysWOW64\TXPlatfor.exe
          C:\Windows\SysWOW64\TXPlatfor.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

        Filesize

        309KB

        MD5

        1d96fe2f0b12c9c276b71398a35b0588

        SHA1

        853be9fa1eec19905f442e8bffcbc0105ebae6c0

        SHA256

        7a8b15dba469bfbd770701312b657c079a276252a7677cb667f1b481768684d2

        SHA512

        a8743e0d7a22387621e2acd6dd1ea06ddd448b3ba0c888da587f727ff1fccd3fd363951899bfe6e25d711abe7a9845e14af5ba038b81bb6f04a0f32953ccf70e

      • C:\Users\Admin\AppData\Local\Temp\N.exe

        Filesize

        377KB

        MD5

        4a36a48e58829c22381572b2040b6fe0

        SHA1

        f09d30e44ff7e3f20a5de307720f3ad148c6143b

        SHA256

        3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

        SHA512

        5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

      • C:\Users\Admin\AppData\Local\Temp\R.exe

        Filesize

        576KB

        MD5

        038f250b9e8c049afe63178a1f927f85

        SHA1

        93091bcc8a32b71e95980f0305d2f3676582aa51

        SHA256

        9f69f32f834ed11c9aab1905ea37ddd814ec528b3705837dcbbc4efd6a7e5cca

        SHA512

        81994a2c9030fe6d330b220b08d8f5a7b797dd0f345385564b57a105c51f508517bfa5e72241c7a095a47c12ff38428c8d180824fcc8594f926848b32a52bde5

      • C:\Users\Admin\AppData\Local\Temp\R.exe

        Filesize

        327KB

        MD5

        43795e9d2244e546b8ea64a91a9ac0a0

        SHA1

        0a177c8e4a33d346fe47154f49c9fd5109182ec5

        SHA256

        a55f30fba1ff7c341360adccb97a8c98ffca92800b034197de5bc1b6da6ff0e3

        SHA512

        be74e23372720953eb1c39706990d67733d6fdfe72ae67fb2a442fd47c28446faacaed67472415c08b9a5bda574353267933a8f03aba7395acf7c9f0ea9d6a4c

      • C:\Windows\SysWOW64\240623421.txt

        Filesize

        595KB

        MD5

        353687ca67d0a9a98c36f34d58ae1832

        SHA1

        c9a9023e1ea02e71e4133e72f0359635a5597fd0

        SHA256

        f368bd2a68102acb53286f09fb5bdbc33272f837507bb5a018120eb5cd74dbfb

        SHA512

        075ac41a3676a77e1e31ddbf55a9f19410a6e85c07a2b717cfc03ab700857fb5b75464942a672b9ee9b9709d1c39872d9086e4d9391b860e6cb5378cbfae8048

      • C:\Windows\SysWOW64\240623421.txt

        Filesize

        288KB

        MD5

        06cfb478cb9d517e415a56bcb7cc6879

        SHA1

        6e58a592672147c1a3b89e6046c7c173ef940b04

        SHA256

        ffd6984d52459dcf0830de6dfee32502296c1a2f988e9defe45b3ee6bb5aad77

        SHA512

        f92d08a500c7aa14729a2fcb27cb6ccfa917600bed873bb6e119b537c7d1c7f3c413c2977cd110931f6964d89b0977b98561be9d109097c9b5ac2c61392b3a93

      • C:\Windows\SysWOW64\240623421.txt

        Filesize

        663KB

        MD5

        1ecf0969cdba3d0c375ee4d797f8cf06

        SHA1

        2123706589e080376171614e0dd6c4557d8ad491

        SHA256

        8985378daa6b4ecf0e53f11f08ba8945e0a4796d4a8ee86e0b7d1328647829e0

        SHA512

        d8c45df30c8ae97e575be79470141f079e9783e09b58409904ee8ad41a9ea82d51442bc43de24715c3f7dc7b1fb724b5239bc1e73fbc61358bcffcfbb23e1306

      • C:\Windows\SysWOW64\Remote Data.exe

        Filesize

        60KB

        MD5

        889b99c52a60dd49227c5e485a016679

        SHA1

        8fa889e456aa646a4d0a4349977430ce5fa5e2d7

        SHA256

        6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

        SHA512

        08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      • \??\c:\windows\SysWOW64\240623421.txt

        Filesize

        514KB

        MD5

        e943b1235624ca770fd4b11e0f91fca7

        SHA1

        da981e125b45148559b02c152c6f89d03112ae0e

        SHA256

        a00c82e630a3bdfd611f02a9c714401063c709797041ddeccffcecf91ecb6cc8

        SHA512

        2db8c253cd8bbea5b4c1e481c5222d395a8ec955278c76accb28284febcd1cbb496a0e5d57b6ac46aee4c637a44a2afadbc9087e7ae628b5b241cd5a04b2ffe3

      • memory/2596-32-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-48-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-45-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-52-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-35-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-34-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3488-26-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3488-28-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3488-29-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4072-19-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4072-23-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4072-20-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4072-17-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB