Overview

overview

10

Static

static

1

097b0639ea...fc.exe

windows7-x64

7

097b0639ea...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc.exe

  • Size

    508KB

  • MD5

    e2b41d74c9b417aacaf1cf0e5b0df5db

  • SHA1

    31c5039f7a2534f8a8b0915b62f3a6f744c1f0b0

  • SHA256

    097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc

  • SHA512

    0c24501b697a2b073a66a2879cc80c46a953b7d84511126d481724afe07ff063f91cbecd73ff5502c66b09f72e10a926bd72b627d8b8a9d7465a7c887fbb671a

  • SSDEEP

    12288:hh9rd3EzdxmW/MW9W2tBKDeUlQBPoriT:z+xBLIHtQGiT

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc.exe
    "C:\Users\Admin\AppData\Local\Temp\097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe C:\Users\Public\Music\5Ns1Sc
      2⤵
        PID:1392
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Roaming\Oe6Xa\RPct.exe
        "C:\Users\Admin\AppData\Roaming\Oe6Xa\RPct.exe" C:\Users\Admin\AppData\Roaming\Oe6Xa\pPv.zip -d C:\Users\Admin\AppData\Roaming
        2⤵
        • Drops startup file
        • Executes dropped EXE
        PID:1884
      • C:\Users\Public\Pictures\Rice\QaRaKu\5MMDYX.exe
        "C:\Users\Public\Pictures\Rice\QaRaKu\5MMDYX.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:820
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4296

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        28KB

        MD5

        a0723f7987951a01d2fa4a9e35366bff

        SHA1

        4b8dd1e7a9a8a783148c118e93d7afecc5812252

        SHA256

        0543c6f49c2c353078198625a92cdec6cf796320949026d0891c1df508652e8f

        SHA512

        22a2adae4b2596a8f855f8c43137eabbede5036ede49344e6490462955c697b566bdea9d121627b3fe117dc60de63d159961abc9df3be1a6b7ef96063a691bd2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Oe6Xa\RPct.exe
        Filesize

        142KB

        MD5

        bbaea75e78b80434b7cd699749b93a97

        SHA1

        c7d151758cb88dee39dbb5f4cd30e7d226980dde

        SHA256

        c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

        SHA512

        7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Oe6Xa\RPct.exe
        Filesize

        142KB

        MD5

        bbaea75e78b80434b7cd699749b93a97

        SHA1

        c7d151758cb88dee39dbb5f4cd30e7d226980dde

        SHA256

        c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

        SHA512

        7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Oe6Xa\RPct.exe
        Filesize

        142KB

        MD5

        bbaea75e78b80434b7cd699749b93a97

        SHA1

        c7d151758cb88dee39dbb5f4cd30e7d226980dde

        SHA256

        c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

        SHA512

        7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Oe6Xa\pPv.zip
        Filesize

        992B

        MD5

        2267710abd41f7a7f47f0a3a5fea91d1

        SHA1

        823ae09dcaccb4245807c62f4122e8bc5569aaa3

        SHA256

        ffa7245c6321cdbcda689ad72c83330be99f2a9c26f6159e2c4fb2ab061b3cee

        SHA512

        cbca360b17d855af0615c04533c46f0afb7c35bada6449603de51d2d766b4b41dfbc049b41adaa67cf7744f2ea83729b8d420a06681d620c6ef91d456e55d752

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\1aKrE1.lnk
        Filesize

        1002B

        MD5

        2c9e0e1ab46cac6ca4b1bdba17b22d38

        SHA1

        d3a243b3db49ca919558fbd73fa254e9ecdda63a

        SHA256

        b4a77f7538e92e911d2d95e8586698bf99126e1cacb0ebfa86344391d49ce810

        SHA512

        727dbe4fe260c9fa289c84fa7aca0ec4d87fb47c6f4c94f6dc7c1cba600d731f9a8354f224ea0a3ff8df281ae547d14e86c2a90bfdd5934cd6b40f3b60ecb499

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\7CtSXg.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\8d8kxr.lnk
        Filesize

        1002B

        MD5

        9eb3561db690522117f7087bc899c4cc

        SHA1

        d1ef60a0f9ba507b74df092ec81512daee009af2

        SHA256

        9e0f0b1feed90e8981b975138139d5cc9afabf86ba166904e95f5a95fae6f5a8

        SHA512

        c972fb6378dc46639be39106d3d5b082862516eaf2a4b2f0b0b1a124139bd17eed84f186b82288f5a8054969139d76cd2368bbdf1170c181b1c60733b53bbc46

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\NLe6pB.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\Q0kVCx.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\ShxTbb.lnk
        Filesize

        1002B

        MD5

        3b3008e2acc175c314241097b6c96e73

        SHA1

        fbfb0167c5cd3788191430dea8a74446d64a1504

        SHA256

        1355121e41e183f53309458d5395080d7d268eadf534f393a9d1458a311d55c5

        SHA512

        f39529c7bbf24fe29b1e8e3535e93508e2774e105c243c39e0640aaa65406d504a74c0788eddb402b3b90b3112fe70413a0632bd5d764bf736a88342cf0d18a9

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\TrGMJb.lnk
        Filesize

        1002B

        MD5

        c1cc657e3674f7c7a148c961deb42d5c

        SHA1

        2514b7734da65a7ecf7d46718104cdf1e1b16455

        SHA256

        4715f173fc5fb3fdf1c06636a1a9ce4b1f93727184cfda2def9d913d361432c7

        SHA512

        8078238cdaa6c9cb8611ca7997c39dc8b3a13c9fb1e819e38f8238456d5359ccc926174d9ac5edec70cdd0989b085a1bd38b84eaca7ad45ab3405a6a7fb52467

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\VboI79.lnk
        Filesize

        1002B

        MD5

        3b3008e2acc175c314241097b6c96e73

        SHA1

        fbfb0167c5cd3788191430dea8a74446d64a1504

        SHA256

        1355121e41e183f53309458d5395080d7d268eadf534f393a9d1458a311d55c5

        SHA512

        f39529c7bbf24fe29b1e8e3535e93508e2774e105c243c39e0640aaa65406d504a74c0788eddb402b3b90b3112fe70413a0632bd5d764bf736a88342cf0d18a9

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\XQPXvq.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\XQPXvq.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\h2l6x6.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\hr3Wmi.lnk
        Filesize

        1002B

        MD5

        8c9c887b41784aa639655b9d2eee7899

        SHA1

        cffaa941260e8be04c900bb20655d2818047f54b

        SHA256

        d4b593f17344626b045266d568369b9a0be8814d06f1e9170039ef8c5b139f1c

        SHA512

        6121f5be21da8c95056e7c374bed54fff20a6b3acc30c2fd986570b381c5ded16083d93af60646ae61d4022a569d6e35074bd5093411ce505e6568199383b6db

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\mPbfn1.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\nzTbM0.url
        Filesize

        135B

        MD5

        8587ca487ef832ae6cc9ec50ccedefe0

        SHA1

        767c8b9e1efce2553b770576b63c5cc15bc2f57e

        SHA256

        2e8f10e46a94f6865c306b2683b4e0997140574c6ef614944bf8748b7e9ab5f9

        SHA512

        e522d4b43cc5f119e0e9962253ca9759dcd1d9e9fa92bc57c713809feb5b467136ca7e00c9b282bbf4520793016d96e6ae45a37c0aebb3dbe340baa8f51ec63d

        Download Submit

      • C:\Users\Public\Music\5Ns1Sc\oCPsXG.lnk
        Filesize

        1002B

        MD5

        4f086b3797b0202a1640258667437fb8

        SHA1

        b125ea28bf7c3e625f0cda31d321372717542257

        SHA256

        2619b8249b8b8dd13a932c1f35868a84e404513030fc49cba80b0170e885016d

        SHA512

        3a80c2dbbf54e162854236521caa7a687a8d36a5a517fad3fc621073b21db9a0122fcb3ee7d251acca791394a4d45864c373b1103100dd87f5493a62cb1cbd5a

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\5MMDYX.exe
        Filesize

        20KB

        MD5

        9406935aaf579b54c49d6edc8ee41bca

        SHA1

        d73466186a2984b5cb46aa580064f1d1f2ac53fb

        SHA256

        5618073f97b233b9929895974b9e955d400a89030e82bbbe44ebdee979e21150

        SHA512

        bd51c1a50d6a01a52672f290d33e0bf75a69c81f410833ca66e674755918c333d2bcbbf2f04f9e8df8fca6cee14c70975dc089f71a221d0d47a1110ccc610a4c

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\5MMDYX.exe
        Filesize

        20KB

        MD5

        9406935aaf579b54c49d6edc8ee41bca

        SHA1

        d73466186a2984b5cb46aa580064f1d1f2ac53fb

        SHA256

        5618073f97b233b9929895974b9e955d400a89030e82bbbe44ebdee979e21150

        SHA512

        bd51c1a50d6a01a52672f290d33e0bf75a69c81f410833ca66e674755918c333d2bcbbf2f04f9e8df8fca6cee14c70975dc089f71a221d0d47a1110ccc610a4c

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\5MMDYX.exe0rPrtdb
        Filesize

        20KB

        MD5

        9406935aaf579b54c49d6edc8ee41bca

        SHA1

        d73466186a2984b5cb46aa580064f1d1f2ac53fb

        SHA256

        5618073f97b233b9929895974b9e955d400a89030e82bbbe44ebdee979e21150

        SHA512

        bd51c1a50d6a01a52672f290d33e0bf75a69c81f410833ca66e674755918c333d2bcbbf2f04f9e8df8fca6cee14c70975dc089f71a221d0d47a1110ccc610a4c

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\info.txt
        Filesize

        1.1MB

        MD5

        f8c3b14bb1762fcd666742bcfe20a933

        SHA1

        c3b355c4cc58e1939ee016ca24ddb520c5f0aa83

        SHA256

        b80886fe89d35394b52718e3ca67e82988e4c4dd14bbddcb893d4863cfe2b9f7

        SHA512

        13970c774d1251bf707f9b9859d9e4dfe7ca4c1348e21def839082172f1c4df611c1af2b42f47a057399b744cd36c458d2c5caf448811a3043625ddc8129fd8c

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\libglib-2.0-0.dll
        Filesize

        581KB

        MD5

        594e5aa3efbe21b7a8b067c283694994

        SHA1

        b24e0cd6245ee8a5971f80b6fd04999a89132148

        SHA256

        e28e4f274318b738870e40ab66fdf461b527a76362f5df6d9e651f8f28c1bb39

        SHA512

        712cf7448c815399510fd1d4689b32457095f4fdab1efb3c4fa900010d95c43434093bdc8761fa098a549c9fb16b2f6f6fda653b74175f30a63a468c89f622cb

        Download Submit

      • C:\Users\Public\Pictures\Rice\QaRaKu\libglib-2.0-0.dll
        Filesize

        581KB

        MD5

        594e5aa3efbe21b7a8b067c283694994

        SHA1

        b24e0cd6245ee8a5971f80b6fd04999a89132148

        SHA256

        e28e4f274318b738870e40ab66fdf461b527a76362f5df6d9e651f8f28c1bb39

        SHA512

        712cf7448c815399510fd1d4689b32457095f4fdab1efb3c4fa900010d95c43434093bdc8761fa098a549c9fb16b2f6f6fda653b74175f30a63a468c89f622cb

        Download Submit

      • C:\Users\Public\e50g5O.zip
        Filesize

        453KB

        MD5

        d74bdae43d80c4936414eb7e105074bc

        SHA1

        606a9427170789432cdbef5294660a7ea555b6d4

        SHA256

        decdaf1b0a1fa3fa4fefb815aacc3dbe27041ac88c94aefebce64bbf86da8735

        SHA512

        3966e24501c2e8b65bdd1a0126d80a15b8312a250a37503a739087580ba3a3689fb7dfe3ee863afbcf5426d69def0071fb4234c4b4d2d37e59f00589c1adee4d

        Download Submit

      • memory/820-214-0x00000000029B0000-0x0000000002A10000-memory.dmp

        Filesize

        384KB

        Download

      • memory/820-217-0x0000000000700000-0x000000000070F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/820-225-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/820-226-0x0000000003AA0000-0x0000000003BEB000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/820-229-0x0000000003AA0000-0x0000000003BEB000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/820-230-0x0000000003AA0000-0x0000000003BEB000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3340-151-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

        Filesize

        8KB

        Download