Overview

overview

10

Static

static

7

1811e46176...d8.exe

windows7-x64

10

1811e46176...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1811e461767ca3de358ef321e0a864d8.exe

  • Size

    741KB

  • MD5

    1811e461767ca3de358ef321e0a864d8

  • SHA1

    881915df35a7a83102632552138f8ef718d1b04a

  • SHA256

    29f69d13328efbd0dac5b0a3d2c8d44230a707429dba5bded6a646b16d8649fb

  • SHA512

    8cc0362040a8a1c43822951e0f2b728be4cd2a695c955c20e24ddf3a56a18d8651ce8cbe602750da81c70d15f7fbcb43b140312ae4016be59424e86f653a43a5

  • SSDEEP

    12288:jt0VPFfsKAkrbPlXhHANUTNqmkTHANUTNQ:SFksb1AmkA

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1811e461767ca3de358ef321e0a864d8.exe
    "C:\Users\Admin\AppData\Local\Temp\1811e461767ca3de358ef321e0a864d8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2688
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe
    Filesize

    382KB

    MD5

    50e55af239ad382294020f3539f874da

    SHA1

    56182b08bcb8cd164300d6048858c4606a1dbf9b

    SHA256

    5ce42b29fb5ec8c6bd7ab5ffc8767f723030bbefdb0bfefdb924007d309a5d15

    SHA512

    5dc23236deea09517910fe9ef631888cc9bb3bd639bfd62967ce9236a49c85dbad75eb15b68193a64bc528c1b6702e51e6a3279ade0811e8df1c13c0483a3b8d

    Download Submit

  • memory/2032-10-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2688-11-0x00000000026A0000-0x0000000002791000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2688-0-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download