Overview

overview

10

Static

static

7d93a94989...22.exe

windows7-x64

10

7d93a94989...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe

  • Size

    184KB

  • MD5

    6b42c4773f94105895dbffff76a2ff80

  • SHA1

    1346bbff87eda91e78cb0007a7fd97944fcd73ad

  • SHA256

    7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22

  • SHA512

    63a5826caaedfe7df758544c9e90f977ac5c24e1f1f2d55cf7f6adce9deb065d9f2cd9a380f7e1d183192200c074a90233915ca147b0275a272ba7a33c1ac992

  • SSDEEP

    3072:QKdAWkTthrHwvxiIe91s+n3p/5e8jR0cTs/w+VLXKr6vkvs9R8igyQfgEOBeOB0w:jwQvXoim363/OG58dyQIpXD

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe
    "C:\Users\Admin\AppData\Local\Temp\7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\XXXXXXBA9CE30A\JH.BAT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn * /f
        3⤵
          PID:1992
        • C:\Windows\SysWOW64\sc.exe
          sc config Schedule start= auto
          3⤵
          • Launches sc.exe
          PID:784
        • C:\Windows\SysWOW64\net.exe
          net start "Task Scheduler"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start "Task Scheduler"
            4⤵
              PID:1976
          • C:\Windows\SysWOW64\at.exe
            At 0:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
            3⤵
              PID:1604
            • C:\Windows\SysWOW64\at.exe
              At 1:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
              3⤵
                PID:1980
              • C:\Windows\SysWOW64\at.exe
                At 2:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                3⤵
                  PID:1640
                • C:\Windows\SysWOW64\at.exe
                  At 3:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                  3⤵
                    PID:1496
                  • C:\Windows\SysWOW64\at.exe
                    At 4:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                    3⤵
                      PID:1648
                    • C:\Windows\SysWOW64\at.exe
                      At 5:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                      3⤵
                        PID:1832
                      • C:\Windows\SysWOW64\at.exe
                        At 6:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                        3⤵
                          PID:1016
                        • C:\Windows\SysWOW64\at.exe
                          At 7:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                          3⤵
                            PID:1392
                          • C:\Windows\SysWOW64\at.exe
                            At 8:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                            3⤵
                              PID:1368
                            • C:\Windows\SysWOW64\at.exe
                              At 9:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                              3⤵
                                PID:268
                              • C:\Windows\SysWOW64\at.exe
                                At 10:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                3⤵
                                  PID:1564
                                • C:\Windows\SysWOW64\at.exe
                                  At 11:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                  3⤵
                                    PID:1656
                                  • C:\Windows\SysWOW64\at.exe
                                    At 12:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                    3⤵
                                      PID:1508
                                    • C:\Windows\SysWOW64\at.exe
                                      At 13:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                      3⤵
                                        PID:772
                                      • C:\Windows\SysWOW64\at.exe
                                        At 14:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                        3⤵
                                          PID:1708
                                        • C:\Windows\SysWOW64\at.exe
                                          At 15:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                          3⤵
                                            PID:1048
                                          • C:\Windows\SysWOW64\at.exe
                                            At 16:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                            3⤵
                                              PID:1620
                                            • C:\Windows\SysWOW64\at.exe
                                              At 17:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                              3⤵
                                                PID:1852
                                              • C:\Windows\SysWOW64\at.exe
                                                At 18:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                3⤵
                                                  PID:616
                                                • C:\Windows\SysWOW64\at.exe
                                                  At 19:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                  3⤵
                                                    PID:940
                                                  • C:\Windows\SysWOW64\at.exe
                                                    At 20:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                    3⤵
                                                      PID:1484
                                                    • C:\Windows\SysWOW64\at.exe
                                                      At 21:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                      3⤵
                                                        PID:948
                                                      • C:\Windows\SysWOW64\at.exe
                                                        At 22:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                        3⤵
                                                          PID:968
                                                        • C:\Windows\SysWOW64\at.exe
                                                          At 23:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                          3⤵
                                                            PID:1816
                                                          • C:\Windows\SysWOW64\at.exe
                                                            At 24:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                            3⤵
                                                              PID:1808

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Windows\XXXXXXBA9CE30A\JH.BAT
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          a8708048b03fe68bb7f28c442633d2f6

                                                          SHA1

                                                          3f523cfac1766a03975539c3b6be1763231c299f

                                                          SHA256

                                                          096aa79c769256466f285a41fecd0b6e173cb3ea4fede684f5afd4339d43e23b

                                                          SHA512

                                                          ab07c20018e364fb82a1a1770bc5f8b6a93811ca4bffffcc3eb0f1ef7e4d50545bc46fff033b2bf69094a693c0351a34bca756a819246ad3fd423b43dd76e254

                                                          Download Submit

                                                        • memory/2036-60-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2036-57-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2036-55-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2036-118-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download