Overview

overview

10

Static

static

7d93a94989...22.exe

windows7-x64

10

7d93a94989...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe

  • Size

    184KB

  • MD5

    6b42c4773f94105895dbffff76a2ff80

  • SHA1

    1346bbff87eda91e78cb0007a7fd97944fcd73ad

  • SHA256

    7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22

  • SHA512

    63a5826caaedfe7df758544c9e90f977ac5c24e1f1f2d55cf7f6adce9deb065d9f2cd9a380f7e1d183192200c074a90233915ca147b0275a272ba7a33c1ac992

  • SSDEEP

    3072:QKdAWkTthrHwvxiIe91s+n3p/5e8jR0cTs/w+VLXKr6vkvs9R8igyQfgEOBeOB0w:jwQvXoim363/OG58dyQIpXD

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe
    "C:\Users\Admin\AppData\Local\Temp\7d93a949898c9dab18f81dedeb1a43b04b2e4247f41c292b543bd24ff815ae22.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\XXXXXXBA9CE30A\JH.BAT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn * /f
        3⤵
          PID:3588
        • C:\Windows\SysWOW64\sc.exe
          sc config Schedule start= auto
          3⤵
          • Launches sc.exe
          PID:1908
        • C:\Windows\SysWOW64\net.exe
          net start "Task Scheduler"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start "Task Scheduler"
            4⤵
              PID:2832
          • C:\Windows\SysWOW64\at.exe
            At 0:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
            3⤵
              PID:4116
            • C:\Windows\SysWOW64\at.exe
              At 1:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
              3⤵
                PID:4008
              • C:\Windows\SysWOW64\at.exe
                At 2:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                3⤵
                  PID:796
                • C:\Windows\SysWOW64\at.exe
                  At 3:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                  3⤵
                    PID:1092
                  • C:\Windows\SysWOW64\at.exe
                    At 4:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                    3⤵
                      PID:2256
                    • C:\Windows\SysWOW64\at.exe
                      At 5:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                      3⤵
                        PID:3792
                      • C:\Windows\SysWOW64\at.exe
                        At 6:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                        3⤵
                          PID:4664
                        • C:\Windows\SysWOW64\at.exe
                          At 7:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                          3⤵
                            PID:2284
                          • C:\Windows\SysWOW64\at.exe
                            At 8:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                            3⤵
                              PID:4688
                            • C:\Windows\SysWOW64\at.exe
                              At 9:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                              3⤵
                                PID:1264
                              • C:\Windows\SysWOW64\at.exe
                                At 10:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                3⤵
                                  PID:4372
                                • C:\Windows\SysWOW64\at.exe
                                  At 11:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                  3⤵
                                    PID:4192
                                  • C:\Windows\SysWOW64\at.exe
                                    At 12:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                    3⤵
                                      PID:3060
                                    • C:\Windows\SysWOW64\at.exe
                                      At 13:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                      3⤵
                                        PID:3448
                                      • C:\Windows\SysWOW64\at.exe
                                        At 14:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                        3⤵
                                          PID:4468
                                        • C:\Windows\SysWOW64\at.exe
                                          At 15:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                          3⤵
                                            PID:1716
                                          • C:\Windows\SysWOW64\at.exe
                                            At 16:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                            3⤵
                                              PID:4604
                                            • C:\Windows\SysWOW64\at.exe
                                              At 17:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                              3⤵
                                                PID:4508
                                              • C:\Windows\SysWOW64\at.exe
                                                At 18:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                3⤵
                                                  PID:4720
                                                • C:\Windows\SysWOW64\at.exe
                                                  At 19:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                  3⤵
                                                    PID:2520
                                                  • C:\Windows\SysWOW64\at.exe
                                                    At 20:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                    3⤵
                                                      PID:4552
                                                    • C:\Windows\SysWOW64\at.exe
                                                      At 21:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                      3⤵
                                                        PID:4072
                                                      • C:\Windows\SysWOW64\at.exe
                                                        At 22:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                        3⤵
                                                          PID:1184
                                                        • C:\Windows\SysWOW64\at.exe
                                                          At 23:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                          3⤵
                                                            PID:568
                                                          • C:\Windows\SysWOW64\at.exe
                                                            At 24:00 C:\Windows\XXXXXXBA9CE30A\svchsot.exe
                                                            3⤵
                                                              PID:4280

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Windows\XXXXXXBA9CE30A\JH.BAT
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          a8708048b03fe68bb7f28c442633d2f6

                                                          SHA1

                                                          3f523cfac1766a03975539c3b6be1763231c299f

                                                          SHA256

                                                          096aa79c769256466f285a41fecd0b6e173cb3ea4fede684f5afd4339d43e23b

                                                          SHA512

                                                          ab07c20018e364fb82a1a1770bc5f8b6a93811ca4bffffcc3eb0f1ef7e4d50545bc46fff033b2bf69094a693c0351a34bca756a819246ad3fd423b43dd76e254

                                                          Download Submit

                                                        • memory/2216-132-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2216-137-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2216-135-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/2216-134-0x0000000010000000-0x0000000010122000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download