Overview

overview

10

Static

static

10

7d1b76e5ff...5c.exe

windows7-x64

10

7d1b76e5ff...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d1b76e5ffd972da972372d210d4c671f964e3865a2010ff3f5e1f58af3a715c.exe

  • Size

    120KB

  • MD5

    d6eaeb35723f725e9507660e9f8e4d8c

  • SHA1

    66a1fec032e4d6bb335d9bef2fc873e3c204387a

  • SHA256

    7d1b76e5ffd972da972372d210d4c671f964e3865a2010ff3f5e1f58af3a715c

  • SHA512

    9cb858f52aea3f273b05bbeab60c70cbe669af7d64f4fd68826dc034957858ab6ce75cce23a95df8633069eba1d88f5ceb3930b5b007078a5f99790c2bdb8ab2

  • SSDEEP

    3072:0PuFP9wPK9fHwkDygAs8sslc7TSqSz4ty:0QWCHwoQsI0TS

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d1b76e5ffd972da972372d210d4c671f964e3865a2010ff3f5e1f58af3a715c.exe
    "C:\Users\Admin\AppData\Local\Temp\7d1b76e5ffd972da972372d210d4c671f964e3865a2010ff3f5e1f58af3a715c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\7336.vbs"
      2⤵
        PID:2748
    • C:\Windows\Terms.EXE
      C:\Windows\Terms.EXE
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1300
        2⤵
        • Program crash
        PID:1812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4048 -ip 4048
      1⤵
        PID:1532

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\7336.vbs
        Filesize

        500B

        MD5

        fba54c558346622bc6cab5036402ee2c

        SHA1

        cbf8cdb3536af2ade301b47cce92e7f3c75dccbd

        SHA256

        7b6487f2aa98a09796d2ec8ccd800a239d566380c9d384fc22ddcbc328337bf5

        SHA512

        8340021425e446ef87a050f5d82f3a3b286dab0ba09e55eba65250c2ef327720a712ee505bb3417c9b13cf795efbbd343726e813a90b17075332e96dc73c7fd6

        Download Submit

      • C:\Windows\Terms.EXE
        Filesize

        100.1MB

        MD5

        4fe2ebddc8b43db1b67a7d496302b2dc

        SHA1

        0b22c9d1ad3893800c8175b739fb635f4f5f64c3

        SHA256

        20ffdcd05df637dbee57b1b18ddf35554cd42497d74da28addc9d52620245fd6

        SHA512

        89fdc3457cc478326c2b2a3d06859f86b487072a39a7f0d39e1c9ec4097539f598e9c6c71618eb0754010294c5aa55a69308f2a301dd62e3b3ed0e3d6a3261cd

        Download Submit

      • C:\Windows\Terms.EXE
        Filesize

        100.1MB

        MD5

        4fe2ebddc8b43db1b67a7d496302b2dc

        SHA1

        0b22c9d1ad3893800c8175b739fb635f4f5f64c3

        SHA256

        20ffdcd05df637dbee57b1b18ddf35554cd42497d74da28addc9d52620245fd6

        SHA512

        89fdc3457cc478326c2b2a3d06859f86b487072a39a7f0d39e1c9ec4097539f598e9c6c71618eb0754010294c5aa55a69308f2a301dd62e3b3ed0e3d6a3261cd

        Download Submit