Overview

overview

10

Static

static

3

MSUpdates.exe

windows7-x64

10

MSUpdates.exe

windows10-2004-x64

10

enlpu.dll

windows7-x64

10

enlpu.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MSUpdates.exe

  • Size

    97KB

  • MD5

    c30111e3592bf03a022b6369c110ad7f

  • SHA1

    f7f57137a029457f132ae63c1b41eac24ac21524

  • SHA256

    239eee98bbcc692f13bffb4d01eb5588b69c75c3e97587f428ca6042d53fb573

  • SHA512

    31df97aba34d102b6b07594fd91966a5120a6a320dbec5bc34c8d4480261891a082ede96be2cd850c5ce0fab1c17a502e4f33d64731f571a15932d84708e0dd2

  • SSDEEP

    1536:bXMujB//+wHnOcWnl5SZ2gcUNEr8JiPZkoo45Ddcq+gQV/caiCj:b8udHPHGlaNJiC+Dcq+gQV1J

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MSUpdates.exe
    "C:\Users\Admin\AppData\Local\Temp\MSUpdates.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\Userinit.exe
      Userinit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\System32\hi5-9c.exe
          "C:\Windows\System32\hi5-9c.exe"
          4⤵
            PID:2016
          • C:\Windows\SysWOW64\runonce.exe
            C:\Windows\SysWOW64\runonce.exe /Run6432
            4⤵
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
              "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      1e4c1066c85ffa0dc421f4d406af7b78

      SHA1

      4dad8caae757e13ab6df6be91130fef85652bb16

      SHA256

      87af01019c35fbab4776741f6b50c2dc40576ba3c1bf0f53dfe05d284b2234d4

      SHA512

      3b70bd123469d7db23ed08fcc0fcf871b224a933a8321d75aa4d838333f6bc2e6d150968321c96e5cf658835b1b633b8d2701d95d05660010b6d46afc1d421a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\ips138[1].htm
      Filesize

      162B

      MD5

      4f8e702cc244ec5d4de32740c0ecbd97

      SHA1

      3adb1f02d5b6054de0046e367c1d687b6cdf7aff

      SHA256

      9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

      SHA512

      21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabB28F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB3BA.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • memory/1628-0-0x0000000000330000-0x000000000039E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2036-153-0x0000000002580000-0x0000000002590000-memory.dmp

      Filesize

      64KB

      Download