Overview

overview

10

Static

static

10

05baf7aab4...88.exe

windows7-x64

10

05baf7aab4...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05baf7aab411250830c065737320af88.exe

  • Size

    133KB

  • MD5

    05baf7aab411250830c065737320af88

  • SHA1

    8039eb60a620e0b275af1e3f742850d846d89947

  • SHA256

    45ab670a19a585dd60827262b572c9db7e4413bac9257af9b4b1185df961683d

  • SHA512

    7651c1ccb685944533b9cfcee48c85407083dedc6017cf3908249ff0d5fae16a9f6d9b1d7235634d0a5d05c10cca13404a2af8334cac11152f91928d16507072

  • SSDEEP

    3072:hUasnnVCKBt2q0nyXUmKR6dWj/RaYJ1h5JRaxs5e5:hUasnnVhBt2qKCUm0bjZxJ1mL

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Blocklisted process makes network request 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05baf7aab411250830c065737320af88.exe
    "C:\Users\Admin\AppData\Local\Temp\05baf7aab411250830c065737320af88.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in Windows directory
    PID:2644
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\web\e57418dkill.dll wintest
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\web\e57418dkill.dll
    Filesize

    99KB

    MD5

    3240584a55e127ed2b23384d5df6069c

    SHA1

    c800976ecfe5d919465857606b0a6c9248f9baba

    SHA256

    75289bafd867fb34ec01204afa19631fa0b3e449446ca478657ae8a6c54ddd7a

    SHA512

    cd7ae3fbb63a90be19ea2bb18ca40d91f03c41ed36328e3e1f6de14578541d67fcda48102dd60a1111da7b24601aa04f0c144dbb9dfc776c64e2f14dbfc8f136

    Download Submit

  • memory/1876-5-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2644-0-0x0000000000400000-0x000000000041FEF0-memory.dmp

    Filesize

    127KB

    Download

  • memory/2644-3-0x0000000000400000-0x000000000041FEF0-memory.dmp

    Filesize

    127KB

    Download

  • memory/2808-7-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download