Overview

overview

10

Static

static

3

2025-03-08...id.exe

windows7-x64

10

2025-03-08...id.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe

  • Size

    1.2MB

  • MD5

    ceca87332b6baef1d4362835c645fde4

  • SHA1

    42e1397a1919374ca330e89c56e950be9774a7f1

  • SHA256

    3078bfd761b290630321b44bf7e068922cb3ed191c98785d9f6048e5d342e346

  • SHA512

    12ad155df88d18bc250bdca709d63e2615316d046bcf8fdd9e0daab0f1d71d87e91992d4fb502d7131de061540429ad687652e05cda59733ba2e1c0d8f814714

  • SSDEEP

    24576:RbndcEBtMIgeOZ+FzZ5flLBVv0p8o30k65zQtqBG3G3ndFBex92JeDty/IZs:tndJBth/t59Fp9aDiQc6YdFBex92Jep8

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\appsoft\\install32.dll,installsvc InstallService
      2⤵
      • Server Software Component: Terminal Services DLL
      • Sets service image path in registry
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2748
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe NetworkService 2284
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\appsoft\install32.dat
    Filesize

    279KB

    MD5

    02adb5a63d5d4fa74ddcc9e3b6976624

    SHA1

    cbb6b7e8e537dad3892361f26837396ea9695848

    SHA256

    d40e9f8176766b4a31ac9807837c3be0e957b755b6f3dd0eb8caf44aeb032060

    SHA512

    d3458c37c9892868e63dddadf26686ba30751a40bf529fc51df0d936fcede8145446a611a82e737ee36adf55b48f73f3a72f8ce381fc880a879fec23b9c1592a

    Download Submit

  • C:\ProgramData\appsoft\install32.dll
    Filesize

    52KB

    MD5

    b39caefae13d0dc0344380b9b19c33c4

    SHA1

    6fe41d9026112599721916a251169ca360cc18e8

    SHA256

    766cee16390c18a85fb3ec9b740986c8ab022cbc35660ff60fba6e72050d417c

    SHA512

    76136b62ebfd8c969a6bf97c6e76127b67697ec0c7da1068c9951e6be4f8c8960d57103ad429f91ddc43702debbca069ba32ac2b6c179902111f339e7090e02a

    Download Submit

  • C:\ProgramData\appsoft\svc.dll
    Filesize

    56KB

    MD5

    823e689e34be362faeddb2bd8d32a05e

    SHA1

    fcc66ea2198a03def308c53adda78d4a64ed22f7

    SHA256

    b0a58c6c859833eb6fb1c7d8cb0c5875ab42be727996bcc20b17dd8ad0058ffa

    SHA512

    f9910032025a61c97c8812249494ba1f6f92b6fce34854d485aff17e45f34c9c6e913484316f90ad4ffe1823083f104ad2b47dd6a2d92eae383ae7d4c0a63fb4

    Download Submit

  • C:\ProgramData\resmon.resmoncfg
    Filesize

    1KB

    MD5

    8f490dc7ec6782d4fd16f67c1df1c5f3

    SHA1

    038e54e03f3b8faf60c69a6d4c073df99bcb5953

    SHA256

    b448c3c879a662e82f1e9dca21c53abd2c0bd2f7aab1631918a04e910e41e5ed

    SHA512

    f1e9ab048bf6ea22f9d23d080ba10b7dcf7b395f09d4f32e39dbb9f03ab75ce61508b449f4d01e9c45dd236f1f43fc394ebd8facf02089925ef3acae55deaa7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\delself.bat
    Filesize

    307B

    MD5

    ee84b4ec9e7d5d14f725ba596455147f

    SHA1

    5f9e205ffb52d2293821524be39a0d165dfe6a6c

    SHA256

    e9b25efc10a6dea19e2b88a425f7ebcaaff90cebab175e8a1f12a2017892ba1d

    SHA512

    0c1875f2c8c447adec41da1d5a4a457a35a05be8505b4bc302967843da793e5689ad9e884c727fbfe5504b80e4e1d231e4e08bbe0f43799c64c9b410b31cdac6

    Download Submit

  • memory/1804-43-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-25-0x00000000001E0000-0x0000000000226000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1804-26-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-28-0x0000000000920000-0x0000000000960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1804-27-0x0000000000350000-0x000000000038E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1804-47-0x0000000000920000-0x0000000000960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2124-42-0x0000000000020000-0x000000000003D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2124-48-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-41-0x0000000000080000-0x000000000009E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2124-60-0x0000000000020000-0x000000000003D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2124-44-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-38-0x0000000000080000-0x000000000009E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2124-45-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2284-37-0x00000000004A0000-0x00000000004E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2284-35-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2284-59-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2284-61-0x000000007E000000-0x000000007E011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2324-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download