Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2025, 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
libcef.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
libcef.exe
Resource
win10ltsc2021-20250217-en
windows10-ltsc 2021-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
libcef.exe
Resource
win11-20250217-en
windows11-21h2-x64
10 signatures
150 seconds
General
-
Target
libcef.exe
-
Size
440KB
-
MD5
71efcad545b463046639217a13374130
-
SHA1
6dab64e59b94adb4a76984e0b8364d352b2566ec
-
SHA256
7d411b417c49604305ce9661da23b49a3a3e1ed1bd9d4c5986b4bf5e5f6da5e9
-
SHA512
b9292d619dc2638a1df252371b100bc25ea52eba0316577cb299c7456875d629e2f8de4abe99cc77e17479665b50d1627342a712f7b7350a150f4628d27f99f2
-
SSDEEP
6144:Xbwen1gUU1lzgAyWMZ7qxHDP7DBFi6PWgIlDP6FPm/h4VSdcn+3Y1tMmbWs:XbweCa1qpT2FGm/hsf+3Y12wW
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral3/memory/2680-1-0x0000000010000000-0x0000000010057000-memory.dmp family_gh0strat -
Gh0strat family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libcef.exe" libcef.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: libcef.exe File opened (read-only) \??\R: libcef.exe File opened (read-only) \??\I: libcef.exe File opened (read-only) \??\K: libcef.exe File opened (read-only) \??\L: libcef.exe File opened (read-only) \??\Q: libcef.exe File opened (read-only) \??\S: libcef.exe File opened (read-only) \??\X: libcef.exe File opened (read-only) \??\G: libcef.exe File opened (read-only) \??\M: libcef.exe File opened (read-only) \??\N: libcef.exe File opened (read-only) \??\O: libcef.exe File opened (read-only) \??\B: libcef.exe File opened (read-only) \??\E: libcef.exe File opened (read-only) \??\H: libcef.exe File opened (read-only) \??\J: libcef.exe File opened (read-only) \??\T: libcef.exe File opened (read-only) \??\V: libcef.exe File opened (read-only) \??\W: libcef.exe File opened (read-only) \??\P: libcef.exe File opened (read-only) \??\U: libcef.exe File opened (read-only) \??\Y: libcef.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language libcef.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 libcef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz libcef.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe 2680 libcef.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2680 libcef.exe Token: SeIncBasePriorityPrivilege 2680 libcef.exe Token: 33 2680 libcef.exe Token: SeIncBasePriorityPrivilege 2680 libcef.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2680 libcef.exe 2680 libcef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\libcef.exe"C:\Users\Admin\AppData\Local\Temp\libcef.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680