Overview

overview

10

Static

static

c660ace33b...e9.exe

windows7-x64

10

c660ace33b...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe

  • Size

    1.6MB

  • MD5

    47265030482ff347272cdf09aef25e8d

  • SHA1

    2ae7ac78dc11f0374389f1f15031a1a1a4d30b70

  • SHA256

    c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9

  • SHA512

    35c09678bde4841c3bc0432229c6b84bd4ca39c963290cfcc7d25bb6b10002346e0dc798c684bf9d3ab95b4e286f5366430758733ee2f33eb8610e9773e78b0e

  • SSDEEP

    24576:U61I7CpxnYP1uyFQ3OfzYSu2+PVAJeA4Qsi84XVKCuVSs1DKNbGvFic2Y+O:D+7vdNwERuDrZQsN4YpSKWG9ic2Yl

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe
    "C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe
      "C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5203y.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1912
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
      • \??\c:\users\admin\appdata\local\dedcisjxuu
        "C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
        3⤵
        • Executes dropped EXE
        PID:1668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    196KB

    MD5

    54b5926b964e7280448dff92eff7fd38

    SHA1

    d9fa67ffe3e33a530a929368bcec80212d57477e

    SHA256

    375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

    SHA512

    b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe
    Filesize

    904KB

    MD5

    99ea9f16c4f432f12d23ac1f50f05fbc

    SHA1

    660bda601a4f6c078d47ffdc91bba3a6875dda0f

    SHA256

    b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4

    SHA512

    783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985

    Download Submit

  • C:\Users\Admin\AppData\Local\dedcisjxuu
    Filesize

    23.7MB

    MD5

    8a41d175a2a6473bce239e518a584983

    SHA1

    e686ddb39c29462c7ea9da086a66f835a812563e

    SHA256

    946f824b3296b0fc7a1905050c1352a1d0769d59de565a8736b30eb2b08177ff

    SHA512

    819028c229e5ac3d7da769b79b30f43abb5561fa0e1d58a88e408d005c26cfdbb27ff2565536b9f209eeb8c718388378041c778f02d68b3b904129c25d6f2c1d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LUKGJUDP.txt
    Filesize

    603B

    MD5

    7a3cb5165a7a60ae911779b5348c464b

    SHA1

    0f54e5e48ac96044f8ad090838c330e6ab9c78b1

    SHA256

    38929a2ec2fe71a2bd9e8e8f9bf8520e2466c8f9d6d890297ef7e1b1a307102c

    SHA512

    eb04c9eb61c98860ab706f1f4e19c1bed3cbca5e0050d4549baee2e7cc2e1a047c417e8107b9b76919cdc5cae232e8e2d5d0e874374f81d0532b7060852954b7

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\server.exe
    Filesize

    196KB

    MD5

    54b5926b964e7280448dff92eff7fd38

    SHA1

    d9fa67ffe3e33a530a929368bcec80212d57477e

    SHA256

    375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

    SHA512

    b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    196KB

    MD5

    54b5926b964e7280448dff92eff7fd38

    SHA1

    d9fa67ffe3e33a530a929368bcec80212d57477e

    SHA256

    375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

    SHA512

    b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    196KB

    MD5

    54b5926b964e7280448dff92eff7fd38

    SHA1

    d9fa67ffe3e33a530a929368bcec80212d57477e

    SHA256

    375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

    SHA512

    b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe
    Filesize

    904KB

    MD5

    99ea9f16c4f432f12d23ac1f50f05fbc

    SHA1

    660bda601a4f6c078d47ffdc91bba3a6875dda0f

    SHA256

    b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4

    SHA512

    783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985

    Download Submit

  • \Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe
    Filesize

    904KB

    MD5

    99ea9f16c4f432f12d23ac1f50f05fbc

    SHA1

    660bda601a4f6c078d47ffdc91bba3a6875dda0f

    SHA256

    b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4

    SHA512

    783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985

    Download Submit

  • \Users\Admin\AppData\Local\dedcisjxuu
    Filesize

    23.7MB

    MD5

    8a41d175a2a6473bce239e518a584983

    SHA1

    e686ddb39c29462c7ea9da086a66f835a812563e

    SHA256

    946f824b3296b0fc7a1905050c1352a1d0769d59de565a8736b30eb2b08177ff

    SHA512

    819028c229e5ac3d7da769b79b30f43abb5561fa0e1d58a88e408d005c26cfdbb27ff2565536b9f209eeb8c718388378041c778f02d68b3b904129c25d6f2c1d

    Download Submit

  • memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1668-69-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download

  • memory/1720-65-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download

  • memory/1720-64-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download

  • memory/1720-70-0x00000000002C0000-0x00000000002F3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1720-71-0x00000000002C0000-0x00000000002F3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1720-73-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download