Overview

overview

10

Static

static

593d9a97ac...41.exe

windows7-x64

10

593d9a97ac...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    593d9a97ac754168b88f27352eaaae8985c2a84d4031207d12d450b223d2fe41.exe

  • Size

    480KB

  • MD5

    6f50e2b491285314dffbdf495c20b1e0

  • SHA1

    12f3bc625b8cde134da267ddbaa70df9ad49848b

  • SHA256

    593d9a97ac754168b88f27352eaaae8985c2a84d4031207d12d450b223d2fe41

  • SHA512

    ddd629e0c8136b3de43ed7a000caa268e3f65c6e6fe01eb3987cf848ea1841136fec129e49762ea2b6a48ffa87ee44a24d34c639fb8e4f75b47838cd4093edb0

  • SSDEEP

    12288:R1DYr96WUZOMwO5eTV38FRCXUq89H8I/mVOQiXpuUUM:RdY5TMwseTvXUq89cYmQz5uUUM

Score
10/10
gh0stratjokeraspackv2bootkitinfostealerpersistencerattrojan

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\593d9a97ac754168b88f27352eaaae8985c2a84d4031207d12d450b223d2fe41.exe
    "C:\Users\Admin\AppData\Local\Temp\593d9a97ac754168b88f27352eaaae8985c2a84d4031207d12d450b223d2fe41.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ʵÃûË¢¿¨È«Äܸ¨Öú.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ʵÃûË¢¿¨È«Äܸ¨Öú.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.lbxywl.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1308
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" Http://wb.lbxywl.com/Ad/1.asp
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:696
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" Http://wb.lbxywl.com/Ad/2.asp
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:275457 /prefetch:2
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:1976
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" Http://wb.lbxywl.com/Ad/3.asp
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:452
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" Http://wb.lbxywl.com/Ad/4.asp
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:964 CREDAT:275457 /prefetch:2
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:1656
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" Http://wb.lbxywl.com/Ad/5.asp
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:852
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "netsvcs"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2380

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    d15aaa7c9be910a9898260767e2490e1

    SHA1

    2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

    SHA256

    f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

    SHA512

    7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1dc3c8d81116e3ca62e96d7f0419428d

    SHA1

    f8edff1885432efcaa1c19d419c3279957011912

    SHA256

    7040b63a400f74ec0bc7585db34b98a0d0302adf084bc24ef571236ce476792a

    SHA512

    9c3a75ed8889d0e7c82e2f62405c6f997b0b86dccf177f136763ba591c64ea62439e75d02cd5ff1a14b35a62d0803ee0b0f27ca6d9c2766dac65e399484715e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E302131-428A-11ED-B59B-4A4A572A2DE9}.dat
    Filesize

    4KB

    MD5

    ff5f9b284e30286a4629154954a4a3ba

    SHA1

    0bff3a69f7338d216327174fc3c304f180f41268

    SHA256

    ba98ff4296d28c3c28da8e88b69524154440d691eea9fe8fe8e900f4462f87df

    SHA512

    f9808223d134e836cfdd6d9f172c1052ca3fa730a82d36040f9c7eff45da6dccc4e6b6665effa3e7ff58d7f200ace26f8a5e6222404c2951f22d28728d44c747

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E325B81-428A-11ED-B59B-4A4A572A2DE9}.dat
    Filesize

    5KB

    MD5

    8e7ac58aa07cc83db4bb8757a9d73923

    SHA1

    66ad5fc7df6144be50930d4ed777351eaec8edef

    SHA256

    07353ceabb84faa1015a6436194bcefea9c1db5a1fd95218faa27dbfb1145971

    SHA512

    b5100b38fb5eecb6720d6e3d5c0cce04624cd71a9917875c0ecb68996444b3ef45ca5b371196bcb39a7705bcc8e33ba59649361d2f0bc16ba3ead31de38f5812

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E34BCE1-428A-11ED-B59B-4A4A572A2DE9}.dat
    Filesize

    4KB

    MD5

    71b282ef1b4c356f2d01ff49763acf44

    SHA1

    b48d4471e0b7d61fd806c5e49fc745ae7639c328

    SHA256

    1fa9ff20128d38838699fc90c30bf5a3abf74ca31e8e777840f535d9a7d04650

    SHA512

    0e1a51a04cd8652b1ff3786b51504aad08e9f820b6c12b0adb943d6d60ef2c1da2ed2db70c0d827810dd6adfa1ddfaff4872505ae13c2dfaaf338b3b3f1cd30d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
    Filesize

    5KB

    MD5

    f58d580856231d757d7f05b506d72ff1

    SHA1

    101d33fa1852d49f970a7be8d9fe018cd507de8b

    SHA256

    cb8d9fc91bba6a597a18ee14c7ec2869d93e62b8b1bebe639c2e9adeab56826e

    SHA512

    91408f90ffc033faa4b9d7fab3257b1bcbdd473b693caddefc45dee1bccc29458ee291a265a6113c3406ccb87e0201c6e9201bf45a5eca292d0b2fdc3c1d8afd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G143T2K9.txt
    Filesize

    603B

    MD5

    29241e994b5cd5c9161e78748bbe433a

    SHA1

    5d273c6a8ea2e034a9e6bd09619ce47da1bc9e31

    SHA256

    bda409db8e60c5fc81cf3f841c4764ea9137ee28709d10e2b535c92ad8ebf7c1

    SHA512

    c65c238a298ef6ff10915571f4322528c8fa08375e98efebc8773dcfc2ef28f3379a07623777bc695a10c04d6d58e88597f68f593a7cb231082c63c99c4011f8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ʵÃûË¢¿¨È«Äܸ¨Öú.exe
    Filesize

    287KB

    MD5

    f8c6fa7133ee1e2bd1941e5d12e0a48f

    SHA1

    797417d1e31f02b0ea0557b92300b3bd92a8be99

    SHA256

    0862fb9a6e5292ab10ae4a08817da2e80da960840adb2ea4cd6feb5a2198207e

    SHA512

    d84d50ba8c1e7acec14c419dd0669b259dac3e151558041be38936feab98b469401a3dc18cc0ad8d3833851157a9ddd16eb271f4ca5508ef34dacdc5b898ab04

    Download Submit

  • \??\c:\users\admin\application data\acd systems\acdsee\imagedm.ddf
    Filesize

    860KB

    MD5

    2e90b69e832159f40e020e745de20159

    SHA1

    dabc02d22bdf420cfa35ba6b87c4e5cb5c8565d6

    SHA256

    052b995402783fe765c27f9ef38816b7355a42623a3bc678a6486096ead3adc5

    SHA512

    dca3cc544ed53f434da9c088deef773f48f9e3fafc96db976e6139862ec3f2b950112b9e9beb0fdb3935d4384e5bb02a6110f570453fac0d7dbbec13ecac98ee

    Download Submit

  • \Users\Admin\AppData\Roaming\ACD Systems\ACDSee\Imagedm.ddf
    Filesize

    860KB

    MD5

    2e90b69e832159f40e020e745de20159

    SHA1

    dabc02d22bdf420cfa35ba6b87c4e5cb5c8565d6

    SHA256

    052b995402783fe765c27f9ef38816b7355a42623a3bc678a6486096ead3adc5

    SHA512

    dca3cc544ed53f434da9c088deef773f48f9e3fafc96db976e6139862ec3f2b950112b9e9beb0fdb3935d4384e5bb02a6110f570453fac0d7dbbec13ecac98ee

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ʵÃ÷ÈÏÖ¤.exe
    Filesize

    192KB

    MD5

    87c4f6ec9a137bea1f00052b438417e3

    SHA1

    3cd79dc0b335feb011902805c69f75b0a73f6455

    SHA256

    8bb2557b2a86bbf7b19a7ca20349e60726471151df575f4460d8608153632f19

    SHA512

    1e5831bd17f03d7bc01e7863784f5ebfb13de7fc09eb63dc23957fc8e296159ff80f7ea936e4fc85ff4f1cfbd117f60803dec769fc3ce83a6e5191fbbfd75b47

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ʵÃûË¢¿¨È«Äܸ¨Öú.exe
    Filesize

    287KB

    MD5

    f8c6fa7133ee1e2bd1941e5d12e0a48f

    SHA1

    797417d1e31f02b0ea0557b92300b3bd92a8be99

    SHA256

    0862fb9a6e5292ab10ae4a08817da2e80da960840adb2ea4cd6feb5a2198207e

    SHA512

    d84d50ba8c1e7acec14c419dd0669b259dac3e151558041be38936feab98b469401a3dc18cc0ad8d3833851157a9ddd16eb271f4ca5508ef34dacdc5b898ab04

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ʵÃûË¢¿¨È«Äܸ¨Öú.exe
    Filesize

    287KB

    MD5

    f8c6fa7133ee1e2bd1941e5d12e0a48f

    SHA1

    797417d1e31f02b0ea0557b92300b3bd92a8be99

    SHA256

    0862fb9a6e5292ab10ae4a08817da2e80da960840adb2ea4cd6feb5a2198207e

    SHA512

    d84d50ba8c1e7acec14c419dd0669b259dac3e151558041be38936feab98b469401a3dc18cc0ad8d3833851157a9ddd16eb271f4ca5508ef34dacdc5b898ab04

    Download Submit

  • memory/920-77-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/920-66-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/920-65-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/920-70-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/1692-54-0x0000000075661000-0x0000000075663000-memory.dmp

    Filesize

    8KB

    Download