Overview

overview

10

Static

static

45baa21da7...49.exe

windows7-x64

10

45baa21da7...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    260s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe

  • Size

    292KB

  • MD5

    8516e3653d6c34810423ca3ed98275f5

  • SHA1

    2eb9f748e9276718e89acc4098040177f72b0d2a

  • SHA256

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

  • SHA512

    4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

  • SSDEEP

    3072:GfvUpXXkVMO4gCwd3E5y1mZtGbvKa2x719Iy/jvuyttPlLcHUzPtVKqdlg:ivUpHu4gvqQ1HKPyIjftxdkUz2m

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe
    "C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\499.vbs"
      2⤵
      • Deletes itself
      PID:1116
  • C:\Windows\hsznok.exe
    C:\Windows\hsznok.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\499.vbs
    Filesize

    500B

    MD5

    ddc469cab3c3daf211f2f271876eea17

    SHA1

    4760a0aa14c73db997677bc9e0c9ec697cc15e5e

    SHA256

    cbb4065ceaa15f2218f8593311c79d6f08c4a750e037d196b4e4ceaf5d3eb94a

    SHA512

    50537115db27e43d7e6c263b71ef994b2be3b9ec7f1376b3f2a834981404e91994b1a5da1b543e2117d4f51f1cf4a091367f202f6c61d534e6534e1a1a24bffa

    Download Submit
  • C:\Windows\hsznok.exe
    Filesize

    292KB

    MD5

    8516e3653d6c34810423ca3ed98275f5

    SHA1

    2eb9f748e9276718e89acc4098040177f72b0d2a

    SHA256

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

    SHA512

    4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

    Download Submit
  • C:\Windows\hsznok.exe
    Filesize

    292KB

    MD5

    8516e3653d6c34810423ca3ed98275f5

    SHA1

    2eb9f748e9276718e89acc4098040177f72b0d2a

    SHA256

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

    SHA512

    4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

    Download Submit
  • memory/896-54-0x0000000075E81000-0x0000000075E83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/896-55-0x0000000010000000-0x0000000010016000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1116-67-0x0000000000000000-mapping.dmp
    Download