Overview

overview

10

Static

static

a4a6f36b13...f2.exe

windows7_x64

10

a4a6f36b13...f2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    203s
  • max time network
    227s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe

  • Size

    944KB

  • MD5

    e4f4b58d13524ae7521d07274eabc0f0

  • SHA1

    0cb88305e8e0e8a9dea1db8025caede6f6f256bb

  • SHA256

    a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2

  • SHA512

    8593105fa62843dd144a900ddb1ae9f4ffda76549f240166418c10b585e5c8df9397a0c3eef7215e1784d103c6a3ab578efd1aaf63b76852d310890d7d262b4d

Score
10/10
gh0stratxmrigminerpersistenceratsuricata

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 36 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\84.exe
      C:\Users\Admin\AppData\Local\Temp\84.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\84.exe > nul
        3⤵
          PID:1108
      • C:\Windows\IIS\CPUInfo.exe
        "C:\Windows\IIS\CPUInfo.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\IIS\1.BAT" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\regedit.exe
            regedit.exe /s iis.reg
            4⤵
            • Runs .reg file with regedit
            PID:624
    • C:\Windows\SysWOW64\systeinfo.exe
      C:\Windows\SysWOW64\systeinfo.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 296
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:1808
      • C:\Windows\SysWOW64\systeinfo.exe
        C:\Windows\SysWOW64\systeinfo.exe Win7
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:884

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\84.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\84.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • C:\Windows\IIS\1.BAT
      Filesize

      32B

      MD5

      2450c0476e1be691164e992f796c1c13

      SHA1

      3fe9da9ae94dab5fe732023e24c509d7471605cf

      SHA256

      653596cb1f474fc012624a04f6504f2f01fb4aacf1f121e653b20cf262b28164

      SHA512

      f23ac0f0a11b6861f0927d01d5e42261f552a975140c9c061f1da338f013475164089b9777b083d6718f0fab268a63469d5875ed7f7c9c329b22de2ebb268997

      Download Submit
    • C:\Windows\IIS\CPUInfo.exe
      Filesize

      13.7MB

      MD5

      25db93b9c70a81bd8ab39dada7ea9691

      SHA1

      b3d3eccc28c99631e85db8214f750b853773b8c3

      SHA256

      f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be

      SHA512

      6d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b

      Download Submit
    • C:\Windows\IIS\iis.reg
      Filesize

      1KB

      MD5

      77226e89c32d86ac341cdce4884b03a1

      SHA1

      bc78bef2aaa2a4699a85d78c9a76304a812885ab

      SHA256

      1fee5453d046a348fe795039210519ff94846bab0980e583b32255726d035607

      SHA512

      e9e380b22b3cfff23c778ad106071c8420f8aca6634ce1e5ea9973ec42a66f188bb6dd5b3404d3baccf84a738464bcfe9318441c516dd60453fed02ae398b286

      Download Submit
    • C:\Windows\SysWOW64\systeinfo.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • C:\Windows\SysWOW64\systeinfo.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • C:\Windows\SysWOW64\systeinfo.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\84.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\84.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • \Windows\IIS\CPUInfo.exe
      Filesize

      13.7MB

      MD5

      25db93b9c70a81bd8ab39dada7ea9691

      SHA1

      b3d3eccc28c99631e85db8214f750b853773b8c3

      SHA256

      f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be

      SHA512

      6d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b

      Download Submit
    • \Windows\IIS\CPUInfo.exe
      Filesize

      13.7MB

      MD5

      25db93b9c70a81bd8ab39dada7ea9691

      SHA1

      b3d3eccc28c99631e85db8214f750b853773b8c3

      SHA256

      f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be

      SHA512

      6d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b

      Download Submit
    • \Windows\SysWOW64\systeinfo.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • \Windows\SysWOW64\systeinfo.exe
      Filesize

      180KB

      MD5

      5ee6b001a1cc627f56b239fb33a9bb14

      SHA1

      5d960e316da7321802ee43d5138c15bb651eedbf

      SHA256

      d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

      SHA512

      03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

      Download Submit
    • memory/624-90-0x0000000000000000-mapping.dmp
      Download
    • memory/884-79-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/884-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1328-54-0x0000000076C81000-0x0000000076C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1328-93-0x0000000000400000-0x000000000051B000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1380-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-88-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-74-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-60-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2044-57-0x0000000000000000-mapping.dmp
      Download