Overview

overview

10

Static

static

7

02381c7510...43.exe

windows7-x64

10

02381c7510...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

  • Size

    580KB

  • MD5

    87d748a0ae1ec45b8ace9a2ceb6a3766

  • SHA1

    e7d124c1b12e65d52f72f808731b3f0184a6ce10

  • SHA256

    02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

  • SHA512

    02ea5c169f831955fd08769261fc04ab7c20fe7c53d41a1d3044323c6353d6cd41a36a8576688fcff2e540d245adaba7fa70b9180f1027b94fc59d413c5fa5eb

  • SSDEEP

    12288:I13jViY02vmO1oiRFr2vFrajw5Gc/kqO:QiY0+mOjErC2xcqO

Score
10/10
gh0stratrat

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.181

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
    "C:\Users\Admin\AppData\Local\Temp\02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Public\jiudxz\jecxz.exe
      C:\Users\Public\jiudxz\jecxz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:524
    • C:\Users\Public\jiudxz\a.exe
      "C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
      2⤵
      • Executes dropped EXE
      PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\jiudxz\1
    Filesize

    122KB

    MD5

    025cb2d0bc04373cede6c1d4a66860a7

    SHA1

    087267438939030b7a639d71ce36e37ad744f803

    SHA256

    a5d86f16c35b8cc37123513e9825b7540d13dac712f9f01ce0b23079827d4206

    SHA512

    3cfa1b7a3f4cc509f3e33155508d5a0c32e4e829e01bb2217bfcd2706fed2114d28b9590bfecbba734b34a9905d57c66f90f2b3b72cd4c4f7adb2642c06189e5

    Download Submit
  • C:\Users\Public\jiudxz\111.zip
    Filesize

    1.3MB

    MD5

    53d1c63890482c3279e503a1360588db

    SHA1

    ce41732262af72ee810e9d5ed6b3c435b8516f76

    SHA256

    d5a74cf2501c9c386f8d586f17f14ed4fa4a77436c857b51eb221a5106c6ebcf

    SHA512

    fe6d93e7e8f0af0ed1dd1fbfebcb9bddddfa284f6db6a056ea64f3ef7ade72380d10a316343f29f2e836174b0060e24210948b3b92cc055944ca870b6ca470b8

    Download Submit
  • C:\Users\Public\jiudxz\a.exe
    Filesize

    161KB

    MD5

    fecf803f7d84d4cfa81277298574d6e6

    SHA1

    0fd9a61bf9a361f87661de295e70a9c6795fe6a1

    SHA256

    81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

    SHA512

    a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

    Download Submit
  • C:\Users\Public\jiudxz\a.exe
    Filesize

    161KB

    MD5

    fecf803f7d84d4cfa81277298574d6e6

    SHA1

    0fd9a61bf9a361f87661de295e70a9c6795fe6a1

    SHA256

    81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

    SHA512

    a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

    Download Submit
  • C:\Users\Public\jiudxz\jecxz.exe
    Filesize

    1008KB

    MD5

    e392cdd1a09a7510225aa614a1bbea11

    SHA1

    a0c79045eafc0b211843ec425a08af35464e5698

    SHA256

    349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

    SHA512

    ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

    Download Submit
  • C:\Users\Public\jiudxz\jecxz.exe
    Filesize

    1008KB

    MD5

    e392cdd1a09a7510225aa614a1bbea11

    SHA1

    a0c79045eafc0b211843ec425a08af35464e5698

    SHA256

    349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

    SHA512

    ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

    Download Submit
  • \Users\Public\jiudxz\a.exe
    Filesize

    161KB

    MD5

    fecf803f7d84d4cfa81277298574d6e6

    SHA1

    0fd9a61bf9a361f87661de295e70a9c6795fe6a1

    SHA256

    81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

    SHA512

    a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

    Download Submit
  • \Users\Public\jiudxz\a.exe
    Filesize

    161KB

    MD5

    fecf803f7d84d4cfa81277298574d6e6

    SHA1

    0fd9a61bf9a361f87661de295e70a9c6795fe6a1

    SHA256

    81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

    SHA512

    a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

    Download Submit
  • \Users\Public\jiudxz\jecxz.exe
    Filesize

    1008KB

    MD5

    e392cdd1a09a7510225aa614a1bbea11

    SHA1

    a0c79045eafc0b211843ec425a08af35464e5698

    SHA256

    349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

    SHA512

    ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

    Download Submit
  • \Users\Public\jiudxz\jecxz.exe
    Filesize

    1008KB

    MD5

    e392cdd1a09a7510225aa614a1bbea11

    SHA1

    a0c79045eafc0b211843ec425a08af35464e5698

    SHA256

    349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

    SHA512

    ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

    Download Submit
  • memory/524-69-0x0000000000530000-0x0000000000546000-memory.dmp
    Filesize

    88KB

    Download
  • memory/524-93-0x0000000000530000-0x0000000000546000-memory.dmp
    Filesize

    88KB

    Download
  • memory/904-54-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-59-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-57-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-55-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-56-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-90-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/904-94-0x0000000000400000-0x00000000005B6000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1540-89-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download