Overview

overview

10

Static

static

1

5062e161e2...ce.exe

windows7-x64

10

5062e161e2...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe

  • Size

    739KB

  • MD5

    541af3301b872d53b12e1b41a2217280

  • SHA1

    648697911465731db9df4d58b6ee940ef67aef64

  • SHA256

    5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce

  • SHA512

    0eea843859a9f6e4b71f7f35e83b94992083e8f1d58d8ae9b3b32314c3126b4d50598dfa578daaed8c7e6df1077253be5a6a5c8c84cd38af3c62915b381657b2

  • SSDEEP

    12288:ja9fxEbo5NjdwmShyJzTzJshqd2PV+xDXsNoEacuIGi5z3:8fxEs5h9TzJshqENoD8uyG2

Score
10/10
gh0stratbootkitpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe
    "C:\Users\Admin\AppData\Local\Temp\5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\417.exe
      "C:\417.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ksafetray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Program Files\Common Files\svchtst.exe 2022112402121.exe
        "C:\Program Files\Common Files\svchtst.exe 2022112402121.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Ksafetray.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1496
    • C:\ºÚèÆƲֿâ.exe
      "C:\ºÚèÆƲֿâ.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\WINDOWS\SysWOW64\tracert..exe
        C:\WINDOWS\system32\tracert..exe
        3⤵
        • Executes dropped EXE
        • Sets DLL path for service in the registry
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1384
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\417.exe
    Filesize

    124KB

    MD5

    66955a0482f30f72eedab681799a41e7

    SHA1

    63b2c667ed01002949ed85831bbd6b334fa6bd20

    SHA256

    9e7d6ce87e395effc83884dd58cdbe83294588432d1dacbe356c2f50fb0bd650

    SHA512

    19f035328b4ce9541051e3c25e7d992aaa1ca1ab9f1b60dfc1ba858f238f6b8b0ea4fa47e743d4a72c7d16195cf40182f2c177f43ca9b1860df8cde332d61d46

    Download Submit

  • C:\417.exe
    Filesize

    124KB

    MD5

    66955a0482f30f72eedab681799a41e7

    SHA1

    63b2c667ed01002949ed85831bbd6b334fa6bd20

    SHA256

    9e7d6ce87e395effc83884dd58cdbe83294588432d1dacbe356c2f50fb0bd650

    SHA512

    19f035328b4ce9541051e3c25e7d992aaa1ca1ab9f1b60dfc1ba858f238f6b8b0ea4fa47e743d4a72c7d16195cf40182f2c177f43ca9b1860df8cde332d61d46

    Download Submit

  • C:\Program Files\Common Files\svchtst.exe 2022112402121.exe
    Filesize

    124KB

    MD5

    66955a0482f30f72eedab681799a41e7

    SHA1

    63b2c667ed01002949ed85831bbd6b334fa6bd20

    SHA256

    9e7d6ce87e395effc83884dd58cdbe83294588432d1dacbe356c2f50fb0bd650

    SHA512

    19f035328b4ce9541051e3c25e7d992aaa1ca1ab9f1b60dfc1ba858f238f6b8b0ea4fa47e743d4a72c7d16195cf40182f2c177f43ca9b1860df8cde332d61d46

    Download Submit

  • C:\WINDOWS\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • C:\Windows\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • C:\ºÚèÆƲֿâ.exe
    Filesize

    1.8MB

    MD5

    1d9a6a5aa024ae5512d50a3312445c13

    SHA1

    f47a60944331f4e1ff8b9ba625d360a5c683405a

    SHA256

    cf18a58924f24cc3d69c0bcd240487b6736b0867a824123f23afbdcb278581a6

    SHA512

    95807fd22e1a29f074af3945c388afb8834a3a991717c67c39a04ccf01e85728df282fd18056182076edd793281eec48485e06ec8805438ab48717b459ab30ff

    Download Submit

  • C:\ºÚèÆƲֿâ.exe
    Filesize

    1.8MB

    MD5

    1d9a6a5aa024ae5512d50a3312445c13

    SHA1

    f47a60944331f4e1ff8b9ba625d360a5c683405a

    SHA256

    cf18a58924f24cc3d69c0bcd240487b6736b0867a824123f23afbdcb278581a6

    SHA512

    95807fd22e1a29f074af3945c388afb8834a3a991717c67c39a04ccf01e85728df282fd18056182076edd793281eec48485e06ec8805438ab48717b459ab30ff

    Download Submit

  • \??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll
    Filesize

    148KB

    MD5

    71c958952423fc70aff0a322b0e6f92d

    SHA1

    bfca527e85cbcc5b6e34e75433829eb8f1c4e266

    SHA256

    82b3691a0b2be1916366305a575ba3989f683e3cfba01e86925c5b0709142d25

    SHA512

    fd84d556d422b53ccfeb4be11389bc65358427b3b71ef79e71973f87e72bc8ed8c5e600ce888141853d7859057deefbb4bf2b950b5b8ff7852ac1e89401ceef8

    Download Submit

  • \Windows\SysWOW64\ntfastuserswitchingcompatibility.dll
    Filesize

    148KB

    MD5

    71c958952423fc70aff0a322b0e6f92d

    SHA1

    bfca527e85cbcc5b6e34e75433829eb8f1c4e266

    SHA256

    82b3691a0b2be1916366305a575ba3989f683e3cfba01e86925c5b0709142d25

    SHA512

    fd84d556d422b53ccfeb4be11389bc65358427b3b71ef79e71973f87e72bc8ed8c5e600ce888141853d7859057deefbb4bf2b950b5b8ff7852ac1e89401ceef8

    Download Submit

  • \Windows\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • \Windows\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • \Windows\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • \Windows\SysWOW64\tracert..exe
    Filesize

    184KB

    MD5

    dad177dcc3dd8e0b38fdf4d5381c697b

    SHA1

    dad53b8408de85ea1f9cad53f216b45819032091

    SHA256

    b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

    SHA512

    6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

    Download Submit

  • memory/556-60-0x0000000000000000-mapping.dmp

    Download

  • memory/900-64-0x0000000000000000-mapping.dmp

    Download

  • memory/956-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1168-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1384-69-0x0000000000000000-mapping.dmp

    Download

  • memory/1496-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1504-59-0x0000000000000000-mapping.dmp

    Download