Overview

overview

10

Static

static

55c3fe8f8d...bf.exe

windows7-x64

10

55c3fe8f8d...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55c3fe8f8d9c74b3ec177ae34980b2b7a41699f8dda5c436d3da9299a3c4c4bf.exe

  • Size

    192KB

  • MD5

    322c08af3d8a278f01ff9a3d9cb902c0

  • SHA1

    36737e27ba0a9cca01c3123f41fe8d214d3159ba

  • SHA256

    55c3fe8f8d9c74b3ec177ae34980b2b7a41699f8dda5c436d3da9299a3c4c4bf

  • SHA512

    e3e4653f3163247473c97c70ed42726ea0bd81b6013b51d05ab4422ee3a6f312be2cb3ea5d11d8e959ad178726062f063c1eb2e0f77998a936193f2e2785f0ad

  • SSDEEP

    3072:LbybpZknW34cWm6zOpUcv9fcGMfs0A6JlPlHJH3Q+OKthU0x:LCZknW34cWm6GfcGMbDWI2

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 8 IoCs
  • Program crash 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55c3fe8f8d9c74b3ec177ae34980b2b7a41699f8dda5c436d3da9299a3c4c4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\55c3fe8f8d9c74b3ec177ae34980b2b7a41699f8dda5c436d3da9299a3c4c4bf.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4544
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 788
      2⤵
      • Program crash
      PID:3632
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1096
      2⤵
      • Program crash
      PID:3772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4612 -ip 4612
    1⤵
      PID:4856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1352 -ip 1352
      1⤵
        PID:1984
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1100
          2⤵
          • Program crash
          PID:4984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4480 -ip 4480
        1⤵
          PID:2996
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
          1⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 824
            2⤵
            • Program crash
            PID:3652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1740 -ip 1740
          1⤵
            PID:3056

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Storm\update\%SESSIONNAME%\ksluc.dlc
            Filesize

            154.6MB

            MD5

            cc819ac5f4fdda29270d86204f3ba042

            SHA1

            aa779095c9759c2794d92e0a933fea94030c217d

            SHA256

            ac9c33254b669770078dea0af4631831ae31aa8518e28fd61472f50e1699dfbf

            SHA512

            3641917249abd003fa3487b2e98788b5e23882fa642606a54565cbb274507a4107dd6164a081e727f262020a287a0f2c5517e5da35a46efb74d577292cc8fb01

            Download Submit

          • C:\ProgramData\Storm\update\%SESSIONNAME%\ksluc.dlc
            Filesize

            154.6MB

            MD5

            cc819ac5f4fdda29270d86204f3ba042

            SHA1

            aa779095c9759c2794d92e0a933fea94030c217d

            SHA256

            ac9c33254b669770078dea0af4631831ae31aa8518e28fd61472f50e1699dfbf

            SHA512

            3641917249abd003fa3487b2e98788b5e23882fa642606a54565cbb274507a4107dd6164a081e727f262020a287a0f2c5517e5da35a46efb74d577292cc8fb01

            Download Submit

          • C:\ProgramData\Storm\update\%SESSIONNAME%\ksluc.dlc
            Filesize

            154.6MB

            MD5

            cc819ac5f4fdda29270d86204f3ba042

            SHA1

            aa779095c9759c2794d92e0a933fea94030c217d

            SHA256

            ac9c33254b669770078dea0af4631831ae31aa8518e28fd61472f50e1699dfbf

            SHA512

            3641917249abd003fa3487b2e98788b5e23882fa642606a54565cbb274507a4107dd6164a081e727f262020a287a0f2c5517e5da35a46efb74d577292cc8fb01

            Download Submit

          • C:\ProgramData\Storm\update\%SESSIONNAME%\ksluc.dlc
            Filesize

            154.6MB

            MD5

            cc819ac5f4fdda29270d86204f3ba042

            SHA1

            aa779095c9759c2794d92e0a933fea94030c217d

            SHA256

            ac9c33254b669770078dea0af4631831ae31aa8518e28fd61472f50e1699dfbf

            SHA512

            3641917249abd003fa3487b2e98788b5e23882fa642606a54565cbb274507a4107dd6164a081e727f262020a287a0f2c5517e5da35a46efb74d577292cc8fb01

            Download Submit

          • C:\Windows\SysWOW64\svchost.exe.txt
            Filesize

            204B

            MD5

            89d3661eb64c487006743d3a799f07c5

            SHA1

            0a8f00066997ac7cbb736daaf552d705b2417f4d

            SHA256

            f1d03bfb05090c4cd8dd489123703891d536a6e725c3bc965dfcc52eba5b991f

            SHA512

            b5379bb9bf32655d7af9a55e535a7b5ec972c52a7ed15aaa2568498414a6bb10bd85814deda4a6fcf646bd774fc198d7bb30bcd652e8307f341cb986da746799

            Download Submit

          • C:\Windows\SysWOW64\svchost.exe.txt
            Filesize

            306B

            MD5

            bda737e6d2aaedab8d1a597c85800930

            SHA1

            edb19826b871930753674e36739cba06d638b666

            SHA256

            5ec3c6f31dd09b43f38d08355b30c3a930f54deeae0599949f044778fcd837f9

            SHA512

            1ae35d62621616cb0292094f9506610e6c0ac3bb780cc05b28f88567043ce9c1ee8aba13349695dbe9ff26261acb3528d6dfa9a3fcb77cf2ade9e0ac6cafc3c4

            Download Submit

          • C:\Windows\SysWOW64\svchost.exe.txt
            Filesize

            408B

            MD5

            b7b22a748f000594a0e18fbb2b1d8984

            SHA1

            2bd4e3abd3153cdfaae69f20a866596b87325837

            SHA256

            dad8747f63cc063227b0efbef17a0b443ec08105959c7cb7c4ebdc5ea32b3649

            SHA512

            ac1a7838b2fb223a463a2e3154c32487c0562675666f1f46680ef38e337b183efdeda9ad7572863041ac819dad05cd6c03456662e4c5d2c42f9984a57f8c9b59

            Download Submit

          • \??\c:\programdata\application data\storm\update\%sessionname%\ksluc.dlc
            Filesize

            154.6MB

            MD5

            cc819ac5f4fdda29270d86204f3ba042

            SHA1

            aa779095c9759c2794d92e0a933fea94030c217d

            SHA256

            ac9c33254b669770078dea0af4631831ae31aa8518e28fd61472f50e1699dfbf

            SHA512

            3641917249abd003fa3487b2e98788b5e23882fa642606a54565cbb274507a4107dd6164a081e727f262020a287a0f2c5517e5da35a46efb74d577292cc8fb01

            Download Submit