Overview

overview

10

Static

static

10

f79527f6a0...32.exe

windows7-x64

10

f79527f6a0...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79527f6a0d44984813c08eabb0a41715ed7125cb466f52e5bb2db42443ab332.exe

  • Size

    108KB

  • MD5

    f6521e23da5fb9e84c00d2b3faa9c319

  • SHA1

    ac0bcece942b03077345341779bc544418878a6d

  • SHA256

    f79527f6a0d44984813c08eabb0a41715ed7125cb466f52e5bb2db42443ab332

  • SHA512

    cd1a14d5a291c4b42b594fc0a4c1e1267653fcd669fb2c92377a47952ad8b73480e76a8ff8f5c42eb7bb88282bdf3661d69b7e076a12d7e00d458e563e09f898

  • SSDEEP

    3072:aYVVWo4zw+6A1gSsh0lcs7zdsmOhNbt+g99zte8S:hVyzw+TsYzzSZzQg99zoh

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f79527f6a0d44984813c08eabb0a41715ed7125cb466f52e5bb2db42443ab332.exe
    "C:\Users\Admin\AppData\Local\Temp\f79527f6a0d44984813c08eabb0a41715ed7125cb466f52e5bb2db42443ab332.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Update7075768.BAT" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\PROGRA~2\KB067075768.dll,x #C:\PROGRA~2\KB067075768.dll##0#0#═°┬τ░▓╚½╧╡═│##ocSLmaa=#360sd#yAzR1cSNmNiMlAXMzNCSmdaKaa==#C:\Users\Admin\AppData\Local\Temp\f79527f6a0d44984813c08eabb0a41715ed7125cb466f52e5bb2db42443ab332.exe
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1548
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\KB067075768.dll
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Update7075768.BAT
    Filesize

    238B

    MD5

    ceb3e0feac094157f6fa0fcc696de958

    SHA1

    6b12190558c4ab755f439c2be0fb1317c5b5dda0

    SHA256

    0bbaebf3c49b58f2ffdb06c2d9ddcc3a04724e17773b2991a4812ac64fc605a2

    SHA512

    c0bd67555cdf8ce1a5d2b228e9b033da4a309aef25e14e6a07f2960e400e0725c1996c8b4dcfbd63a6db5e701db42dd29ce8bf9723aa2aa7a48f0f79d3cdf32b

    Download Submit

  • \??\c:\program files (x86)\common files\system\hedubgtfp.eul
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • \PROGRA~2\KB067075768.dll
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • \PROGRA~2\KB067075768.dll
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • \PROGRA~2\KB067075768.dll
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • \PROGRA~2\KB067075768.dll
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • \Program Files (x86)\Common Files\System\hedubgtfp.eul
    Filesize

    9.8MB

    MD5

    88b757855ea1acefc9fe9b2adc3c7703

    SHA1

    1963b00a705be4bd0dad6d8424ff669fc678c98e

    SHA256

    e6b9988a76fe81adfeb14a1d40e63f2f244e8b93032d11c050ac5228762bdba0

    SHA512

    d48e3cb45fb2739195d0a41e455f275e4451857e18cdbdc400591b8ad3ce837e303059d3af7992a81f52965d98957c495fce10bc118cac9d80fa5d394062ec8c

    Download Submit

  • memory/872-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1548-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-59-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download