Overview

overview

10

Static

static

eb71cb4f89...84.exe

windows7-x64

10

eb71cb4f89...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe

  • Size

    192KB

  • MD5

    702395713f991c8ef6189f0c62d465f5

  • SHA1

    c2a01fb4fc43fe709732bafaf334bbb98755af5a

  • SHA256

    eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584

  • SHA512

    a17d03afe1011f1b199c1428a69c6b7d5dc536dadbf2fbbaeda362dd2fc6993139aa6ab5242223416b3b682e7e29712b32b1098f3a5543fd708c6affb3a811bc

  • SSDEEP

    3072:lSB23ZRnWUWXzg5KHbFxlAPHX7JC2J/IPe25L/IV8/dHb7nslSlq:lFPnWUWX05KH3lAP37JC2J/IPeiD/Rjt

Score
10/10
gh0stratbootkitpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
    "C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1112
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\progra~3\applic~1\storm\update\fyxvl.dlc
    Filesize

    832KB

    MD5

    d7aaa1d6ae110fcd1d2cacf03fc2b872

    SHA1

    facd15a103e5900c2ca6659897511000b0a1df1a

    SHA256

    8d952b7b09cb8972abebc2f050d73bbc0811517979e0fc04896cf0010034be28

    SHA512

    6e53075a01e3fc214f0802be740ddd080977914777666665b9a81cf9db01e2731658219810788243da5e3816331c339ad5b8d9808cbc3e4db98195686c107a65

    Download Submit
  • \ProgramData\Storm\update\fyxvl.dlc
    Filesize

    832KB

    MD5

    d7aaa1d6ae110fcd1d2cacf03fc2b872

    SHA1

    facd15a103e5900c2ca6659897511000b0a1df1a

    SHA256

    8d952b7b09cb8972abebc2f050d73bbc0811517979e0fc04896cf0010034be28

    SHA512

    6e53075a01e3fc214f0802be740ddd080977914777666665b9a81cf9db01e2731658219810788243da5e3816331c339ad5b8d9808cbc3e4db98195686c107a65

    Download Submit
  • memory/1076-56-0x0000000075F51000-0x0000000075F53000-memory.dmp
    Filesize

    8KB

    Download