Overview

overview

10

Static

static

3

MSUpdates.exe

windows7-x64

10

MSUpdates.exe

windows10-2004-x64

10

enlpu.dll

windows7-x64

10

enlpu.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    enlpu.dll

  • Size

    50.2MB

  • MD5

    16a2f5d1ac6a7f134d808050c3697a68

  • SHA1

    d192bcedbedec45f8770bf1b225936862aa78727

  • SHA256

    c57b86b7e816cddb68e0903b12c30bb0495ca4cdf69f5dee9fc281eea3cd39ca

  • SHA512

    dbb163f0fee43a2ffe9cbaca0aa8542a70570eb527efaee44748666b09d75db91f51826adbd845715633c359423cb2ab66ef8c758b62c05152ee7b9ea1296659

  • SSDEEP

    3072:tSorJcpkszwTzM6ZCtOSMiwO2njCampn6VwJ3VY0yX6a4:tSbWsazMzMiunZmd6VwJFY0yX6V

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Blocklisted process makes network request 16 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\enlpu.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\enlpu.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\Userinit.exe
        Userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\System32\dzuhbf.exe
            "C:\Windows\System32\dzuhbf.exe"
            5⤵
              PID:1444
            • C:\Windows\SysWOW64\runonce.exe
              C:\Windows\SysWOW64\runonce.exe /Run6432
              5⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:2388
              • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
                "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      41e23954b2e35167312f692bba27a660

      SHA1

      55d98d3c570716223dea26a448371d37f5ce676b

      SHA256

      2739dae91124f95f8fe0ac2617a8bf587b84d95978991f9c7a805e128cbee512

      SHA512

      3fb76150535b7777463e55f5508a89082f2a0f69c36571d809d4625b26d3f1d535dc5ee34a402320f2647609f8b85aaeb73e9131d21d4037a606737edb251220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\ips138[1].htm
      Filesize

      162B

      MD5

      4f8e702cc244ec5d4de32740c0ecbd97

      SHA1

      3adb1f02d5b6054de0046e367c1d687b6cdf7aff

      SHA256

      9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

      SHA512

      21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabF308.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarF369.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • memory/1564-0-0x00000000002D0000-0x000000000033E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2960-153-0x0000000002630000-0x0000000002640000-memory.dmp

      Filesize

      64KB

      Download