Overview

overview

10

Static

static

10

2c5dc04e22...dc.exe

windows7-x64

10

2c5dc04e22...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc.exe

  • Size

    30KB

  • MD5

    cfc5212ceeb52d74ce319bdf2bf96938

  • SHA1

    98a88e244c27596473145bbc57a9841d29a0baba

  • SHA256

    2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc

  • SHA512

    3ecc20cd0834af2e900d3879e8f57ae1c963c580e89bdec6985a6e753c4aab94bc14d035185ee11ad3914b65824e6fb434fa391507043f20759267d06d40cefa

  • SSDEEP

    768:Bo7ka4dMTNgxC6xaUCBVhFuiFttM8NE7VC9NNRo6nP3gm:BWqYNg9ap3jzFm7VCTNlPZ

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc.exe
    "C:\Users\Admin\AppData\Local\Temp\2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\8074.vbs"
      2⤵
        PID:2540
    • C:\Windows\Qoayeik.exe
      C:\Windows\Qoayeik.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\Qoayeik.exe
        C:\Windows\Qoayeik.exe Win7
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:4868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1368
          3⤵
          • Program crash
          PID:2072
      • C:\Windows\Qoayeik.exe
        C:\Windows\Qoayeik.exe Win7
        2⤵
        • Executes dropped EXE
        PID:4596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 512
        2⤵
        • Program crash
        PID:5084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3192 -ip 3192
      1⤵
        PID:996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4868 -ip 4868
        1⤵
          PID:4768

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\8074.vbs
          Filesize

          500B

          MD5

          e48de04d8739b455b4f78856aaff493c

          SHA1

          cbb89130d5e7ff882b3f22362ed401aa1c353321

          SHA256

          d9d14f86617e3869161368f55b0cac7eace46146eae0ae1cad07d6deb0e980b3

          SHA512

          bb400b17424f3cc931e62e077a79f6f789c6820db96b4f8b4d857bc6484e78c37d23abc5e64dc4f9d0ecf5be662edd78a90f244fb922742d40e9d4fbf9728d51

          Download Submit

        • C:\Windows\Qoayeik.exe
          Filesize

          30KB

          MD5

          cfc5212ceeb52d74ce319bdf2bf96938

          SHA1

          98a88e244c27596473145bbc57a9841d29a0baba

          SHA256

          2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc

          SHA512

          3ecc20cd0834af2e900d3879e8f57ae1c963c580e89bdec6985a6e753c4aab94bc14d035185ee11ad3914b65824e6fb434fa391507043f20759267d06d40cefa

          Download Submit

        • C:\Windows\Qoayeik.exe
          Filesize

          30KB

          MD5

          cfc5212ceeb52d74ce319bdf2bf96938

          SHA1

          98a88e244c27596473145bbc57a9841d29a0baba

          SHA256

          2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc

          SHA512

          3ecc20cd0834af2e900d3879e8f57ae1c963c580e89bdec6985a6e753c4aab94bc14d035185ee11ad3914b65824e6fb434fa391507043f20759267d06d40cefa

          Download Submit

        • C:\Windows\Qoayeik.exe
          Filesize

          30KB

          MD5

          cfc5212ceeb52d74ce319bdf2bf96938

          SHA1

          98a88e244c27596473145bbc57a9841d29a0baba

          SHA256

          2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc

          SHA512

          3ecc20cd0834af2e900d3879e8f57ae1c963c580e89bdec6985a6e753c4aab94bc14d035185ee11ad3914b65824e6fb434fa391507043f20759267d06d40cefa

          Download Submit

        • C:\Windows\Qoayeik.exe
          Filesize

          30KB

          MD5

          cfc5212ceeb52d74ce319bdf2bf96938

          SHA1

          98a88e244c27596473145bbc57a9841d29a0baba

          SHA256

          2c5dc04e2227099f9039d7e0e384a456904737a01303affe2d42a001a86fc6dc

          SHA512

          3ecc20cd0834af2e900d3879e8f57ae1c963c580e89bdec6985a6e753c4aab94bc14d035185ee11ad3914b65824e6fb434fa391507043f20759267d06d40cefa

          Download Submit

        • memory/3192-139-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-132-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-144-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4596-143-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4596-141-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4868-140-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4868-146-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4868-147-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download