Overview

overview

10

Static

static

f38ceb5bcc...40.exe

windows7_x64

10

f38ceb5bcc...40.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f38ceb5bccd2de5ccf73d79ec5711d40.exe

  • Size

    2.1MB

  • MD5

    f38ceb5bccd2de5ccf73d79ec5711d40

  • SHA1

    72eb623006fad037f57831ebe2a554c3823105d9

  • SHA256

    f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

  • SHA512

    199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f38ceb5bccd2de5ccf73d79ec5711d40.exe
    "C:\Users\Admin\AppData\Local\Temp\f38ceb5bccd2de5ccf73d79ec5711d40.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Program Files (x86)\Pwtqfef.exe
      "C:\Program Files (x86)\Pwtqfef.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:924
  • C:\Program Files (x86)\Pwtqfef.exe
    "C:\Program Files (x86)\Pwtqfef.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Program Files (x86)\Pwtqfef.exe
      "C:\Program Files (x86)\Pwtqfef.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4976
    • C:\Program Files (x86)\Pwtqfef.exe
      "C:\Program Files (x86)\Pwtqfef.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 660
      2⤵
      • Program crash
      PID:4484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
    1⤵
      PID:1040

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Pwtqfef.exe
      Filesize

      2.1MB

      MD5

      f38ceb5bccd2de5ccf73d79ec5711d40

      SHA1

      72eb623006fad037f57831ebe2a554c3823105d9

      SHA256

      f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

      SHA512

      199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

      Download Submit
    • C:\Program Files (x86)\Pwtqfef.exe
      Filesize

      2.1MB

      MD5

      f38ceb5bccd2de5ccf73d79ec5711d40

      SHA1

      72eb623006fad037f57831ebe2a554c3823105d9

      SHA256

      f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

      SHA512

      199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

      Download Submit
    • C:\Program Files (x86)\Pwtqfef.exe
      Filesize

      2.1MB

      MD5

      f38ceb5bccd2de5ccf73d79ec5711d40

      SHA1

      72eb623006fad037f57831ebe2a554c3823105d9

      SHA256

      f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

      SHA512

      199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

      Download Submit
    • C:\Program Files (x86)\Pwtqfef.exe
      Filesize

      2.1MB

      MD5

      f38ceb5bccd2de5ccf73d79ec5711d40

      SHA1

      72eb623006fad037f57831ebe2a554c3823105d9

      SHA256

      f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

      SHA512

      199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

      Download Submit
    • C:\Program Files (x86)\Pwtqfef.exe
      Filesize

      2.1MB

      MD5

      f38ceb5bccd2de5ccf73d79ec5711d40

      SHA1

      72eb623006fad037f57831ebe2a554c3823105d9

      SHA256

      f73282bb29d6711a116656bf12a55c2e7df5eb9a95376b6d1d087309fc37bb14

      SHA512

      199be4590729211be3b144a789ba4455fdc4e23604b36f2a4989bb75a763718abcd058e075236040a8ed51158f7783c2f99f77bbbfd9796426deb3902fae851d

      Download Submit
    • memory/924-2841-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-2850-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-2843-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-1492-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-2840-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-1498-0x0000000075C90000-0x0000000075D0A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/924-1497-0x0000000075F60000-0x0000000076100000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/924-1495-0x0000000077070000-0x0000000077285000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/924-1494-0x0000000077DD0000-0x0000000077F73000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/924-2851-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/924-4210-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/924-1489-0x0000000000000000-mapping.dmp
      Download
    • memory/2280-4199-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/2280-4202-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/2280-4209-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/2280-4208-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/2280-4200-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/2280-4413-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/2280-2857-0x0000000075C90000-0x0000000075D0A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/2280-2856-0x0000000075F60000-0x0000000076100000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2280-2854-0x0000000077070000-0x0000000077285000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2280-2853-0x0000000077DD0000-0x0000000077F73000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2280-2852-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4976-6910-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4976-6913-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4976-6915-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4976-6920-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4976-6924-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4976-6926-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4976-6929-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4976-6932-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4976-4215-0x0000000077DD0000-0x0000000077F73000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4976-6935-0x0000000075150000-0x0000000075189000-memory.dmp
      Filesize

      228KB

      Download
    • memory/4976-6936-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4976-4222-0x0000000075C90000-0x0000000075D0A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/4976-4211-0x0000000000000000-mapping.dmp
      Download
    • memory/4976-4221-0x0000000075F60000-0x0000000076100000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4976-4217-0x0000000077070000-0x0000000077285000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/5024-131-0x0000000077DD0000-0x0000000077F73000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/5024-1493-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-1488-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5024-1487-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5024-1486-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-132-0x0000000077070000-0x0000000077285000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/5024-134-0x0000000075F60000-0x0000000076100000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/5024-1480-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-1484-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5024-130-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-135-0x0000000075C90000-0x0000000075D0A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/5024-1477-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-1478-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5024-1485-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5024-1481-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5108-4223-0x0000000075F60000-0x0000000076100000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/5108-6919-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5108-6917-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5108-6916-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5108-4227-0x0000000075C90000-0x0000000075D0A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/5108-6931-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5108-4219-0x0000000077070000-0x0000000077285000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/5108-6933-0x0000000000400000-0x00000000005F1000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/5108-6934-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/5108-4213-0x0000000000000000-mapping.dmp
      Download
    • memory/5108-4216-0x0000000077DD0000-0x0000000077F73000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/5108-6937-0x0000000010000000-0x0000000010362000-memory.dmp
      Filesize

      3.4MB

      Download