Overview

overview

10

Static

static

ac97426def...40.exe

windows7-x64

10

ac97426def...40.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac97426defa6f6836321051f424707f571fe3d4967e33d2ed4584f06f1a68c40.exe

  • Size

    510KB

  • MD5

    dfc487f16e2c7115e4f15e80f5720de9

  • SHA1

    e4a9a78f61e5cb7912c45c349a2807805c8ff36b

  • SHA256

    ac97426defa6f6836321051f424707f571fe3d4967e33d2ed4584f06f1a68c40

  • SHA512

    3b7a569f23e1af82de0ff289ca3ebaf4ca2e39129550068b535ee09b552d3968611813cc6459180d5ec49f53ca5bf5f4162246c3f8aa5249715d0927f0642dd1

  • SSDEEP

    6144:nINgekrKFVH0pwpM9NBiBd3wxQKwaaQKbp1g:nINgekrKFVH0pp9KdAxQKwBe

Score
10/10
gh0stratbootkitpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 5 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac97426defa6f6836321051f424707f571fe3d4967e33d2ed4584f06f1a68c40.exe
    "C:\Users\Admin\AppData\Local\Temp\ac97426defa6f6836321051f424707f571fe3d4967e33d2ed4584f06f1a68c40.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Program Files\Common Files\qiuqi0.exe
      "C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1104
    • C:\Documents and Settings\qiuqi0.exe
      "C:\Documents and Settings\qiuqi0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\DOCUME~1\qiuqi0.exe
        3⤵
          PID:860
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\Users\Admin\AppData\Local\Temp\AC9742~1.EXE
        2⤵
        • Deletes itself
        PID:968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Documents and Settings\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • C:\Program Files\Common Files\maoma0.dll
      Filesize

      24.1MB

      MD5

      ad5602c8dcd2087b3458219092a0ed3f

      SHA1

      5fedf62a348d3cbcba6a6163674fb5a7fba65de8

      SHA256

      5d6d344c60f68cf1295e9e1eaf7e0e57fcbe81c2d867f733bf09f5895c63b329

      SHA512

      819af686251b6ae26814d35f8df9815da37e0c97e74e23a1633229ea20926420caa65c9669642dc2ca8d80eeff7991a1929e8222894a6605f42a951f07329b7b

      Download Submit

    • C:\Program Files\Common Files\qiuqi0.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • C:\Program Files\Common Files\qiuqi0.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • C:\Users\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • \Program Files\Common Files\maoma0.dll
      Filesize

      24.1MB

      MD5

      ad5602c8dcd2087b3458219092a0ed3f

      SHA1

      5fedf62a348d3cbcba6a6163674fb5a7fba65de8

      SHA256

      5d6d344c60f68cf1295e9e1eaf7e0e57fcbe81c2d867f733bf09f5895c63b329

      SHA512

      819af686251b6ae26814d35f8df9815da37e0c97e74e23a1633229ea20926420caa65c9669642dc2ca8d80eeff7991a1929e8222894a6605f42a951f07329b7b

      Download Submit

    • \Program Files\Common Files\maoma0.dll
      Filesize

      24.1MB

      MD5

      ad5602c8dcd2087b3458219092a0ed3f

      SHA1

      5fedf62a348d3cbcba6a6163674fb5a7fba65de8

      SHA256

      5d6d344c60f68cf1295e9e1eaf7e0e57fcbe81c2d867f733bf09f5895c63b329

      SHA512

      819af686251b6ae26814d35f8df9815da37e0c97e74e23a1633229ea20926420caa65c9669642dc2ca8d80eeff7991a1929e8222894a6605f42a951f07329b7b

      Download Submit

    • \Program Files\Common Files\maoma0.dll
      Filesize

      24.1MB

      MD5

      ad5602c8dcd2087b3458219092a0ed3f

      SHA1

      5fedf62a348d3cbcba6a6163674fb5a7fba65de8

      SHA256

      5d6d344c60f68cf1295e9e1eaf7e0e57fcbe81c2d867f733bf09f5895c63b329

      SHA512

      819af686251b6ae26814d35f8df9815da37e0c97e74e23a1633229ea20926420caa65c9669642dc2ca8d80eeff7991a1929e8222894a6605f42a951f07329b7b

      Download Submit

    • \Program Files\Common Files\maoma0.dll
      Filesize

      24.1MB

      MD5

      ad5602c8dcd2087b3458219092a0ed3f

      SHA1

      5fedf62a348d3cbcba6a6163674fb5a7fba65de8

      SHA256

      5d6d344c60f68cf1295e9e1eaf7e0e57fcbe81c2d867f733bf09f5895c63b329

      SHA512

      819af686251b6ae26814d35f8df9815da37e0c97e74e23a1633229ea20926420caa65c9669642dc2ca8d80eeff7991a1929e8222894a6605f42a951f07329b7b

      Download Submit

    • \Program Files\Common Files\qiuqi0.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • \Program Files\Common Files\qiuqi0.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • \Program Files\Common Files\qiuqi0.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • \Users\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • \Users\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • \Users\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • \Users\qiuqi0.exe
      Filesize

      24.0MB

      MD5

      027df784c339ad2fed580a17cb571d75

      SHA1

      3b91a629205f0049b5db94fd4f8cbaf597984700

      SHA256

      6d67f89fdea88901e56220b9002313f32f93a327f3370db38bd0a73b9bbb8665

      SHA512

      de207fb2ce27610d69eafe8e5375e71cf011333d0993e7804f847e0b5334bee8a607931e49d3920e6c28c574b5e92c021a56ab7dfd770979080111d93c24f849

      Download Submit

    • memory/1104-70-0x0000000020000000-0x0000000020027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1104-72-0x0000000020000000-0x0000000020027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1104-92-0x0000000020000000-0x0000000020027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1104-71-0x0000000020000000-0x0000000020027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1104-69-0x0000000020000000-0x0000000020027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1500-85-0x0000000000030000-0x0000000000036000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1500-83-0x0000000000030000-0x0000000000036000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1500-82-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1500-87-0x0000000000030000-0x0000000000036000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2028-79-0x00000000002C0000-0x00000000002C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2028-55-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2028-88-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2028-89-0x0000000000240000-0x000000000024D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2028-56-0x0000000000240000-0x00000000002B9000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2028-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

      Filesize

      8KB

      Download