Overview

overview

10

Static

static

45baa21da7...49.exe

windows7-x64

10

45baa21da7...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe

  • Size

    292KB

  • MD5

    8516e3653d6c34810423ca3ed98275f5

  • SHA1

    2eb9f748e9276718e89acc4098040177f72b0d2a

  • SHA256

    45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

  • SHA512

    4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

  • SSDEEP

    3072:GfvUpXXkVMO4gCwd3E5y1mZtGbvKa2x719Iy/jvuyttPlLcHUzPtVKqdlg:ivUpHu4gvqQ1HKPyIjftxdkUz2m

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe
    "C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\9440.vbs"
      2⤵
        PID:876
    • C:\Windows\skkwkm.exe
      C:\Windows\skkwkm.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\9440.vbs
      Filesize

      500B

      MD5

      ddc469cab3c3daf211f2f271876eea17

      SHA1

      4760a0aa14c73db997677bc9e0c9ec697cc15e5e

      SHA256

      cbb4065ceaa15f2218f8593311c79d6f08c4a750e037d196b4e4ceaf5d3eb94a

      SHA512

      50537115db27e43d7e6c263b71ef994b2be3b9ec7f1376b3f2a834981404e91994b1a5da1b543e2117d4f51f1cf4a091367f202f6c61d534e6534e1a1a24bffa

      Download Submit
    • C:\Windows\skkwkm.exe
      Filesize

      292KB

      MD5

      8516e3653d6c34810423ca3ed98275f5

      SHA1

      2eb9f748e9276718e89acc4098040177f72b0d2a

      SHA256

      45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

      SHA512

      4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

      Download Submit
    • C:\Windows\skkwkm.exe
      Filesize

      292KB

      MD5

      8516e3653d6c34810423ca3ed98275f5

      SHA1

      2eb9f748e9276718e89acc4098040177f72b0d2a

      SHA256

      45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49

      SHA512

      4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5

      Download Submit
    • memory/876-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2840-132-0x0000000010000000-0x0000000010016000-memory.dmp
      Filesize

      88KB

      Download