Overview

overview

10

Static

static

3

68ac4865ef...7a.exe

windows7-x64

10

68ac4865ef...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe

  • Size

    11.6MB

  • MD5

    babb30e61fdef65e913d6ea164301077

  • SHA1

    edb712f4837ae0ca2205408dd9a388ee33c2bd76

  • SHA256

    68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a

  • SHA512

    b522175ff1c488eb780bc0a7f24a1979b15299568144c9dcf10e995cda1960aa4349a23ac61606398fe7c0ae850a1c6668538bc30ac3f7faf4ac9bcc8d6cfd36

  • SSDEEP

    196608:K2tnjp+sHMWh+lmnqg/ivIbuUN0tZo+mNbM3bwIihTtvHkP5KhvXRRdCqM4ABrGl:bnjsyM9l2R6gamsbmNbGihpHr9Rj5A6I

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe
    "C:\Users\Admin\AppData\Local\Temp\68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\GLk.exe
      C:\Users\Admin\AppData\Local\Temp\\GLk.exe
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:2524
    • C:\Users\Admin\AppData\Local\Temp\HD_68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe
      C:\Users\Admin\AppData\Local\Temp\\HD_68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3396
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "svchist"
    1⤵
      PID:888
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchist"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\svchist.exe
        C:\Windows\system32\svchist.exe "c:\windows\system32\240600078.bat",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GLk.exe
      Filesize

      337KB

      MD5

      b8e58a96761799f4ad0548dba39d650c

      SHA1

      c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

      SHA256

      334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

      SHA512

      1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_68ac4865ef5f7046ccf887d0da4398091b6209d6992246fc596aec49bf2d817a.exe
      Filesize

      10.4MB

      MD5

      6acfaf993d52998a4a084b2df45ef4b1

      SHA1

      f1e732b33315fcb97a094fc32232531ad9e68524

      SHA256

      bf9b32a64e76698d773c7572e1dfd7665a3e951bf1dd6ef51738dc99af58c76e

      SHA512

      9e70133b5a4846f3daa28778e11028f96cbe27da77699c9976a867b5655f704848136a27dbd9ded4c40603eddf045a66d642db7cd7e71e3e674abe57291ec291

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      1.2MB

      MD5

      93bd7c53b5d5075a012039b0ed7a19bc

      SHA1

      21db18e3b04912518b940d3c818e8abcf97b5161

      SHA256

      d3e5503b6b258142b49e703eed70fe0c860722df333b10866daf33cab0523357

      SHA512

      97711ef14a35e45951c0e380d70e1687ec9ed15aa866b68ff36521623517ec27d683a4d794a9dfabb98dfc1dab3881721dbad34f3d757cc97c2574aea05110b9

      Download Submit

    • C:\Windows\SysWOW64\240600078.bat
      Filesize

      51KB

      MD5

      303dbeece437fa01c742f12f45e3a381

      SHA1

      bcef4152470e4751c535ac4418496036fa64d284

      SHA256

      4044f6210f0a92ab85cd07c7378b337f213266b9f77ac04ddbdc4fb0029ecd88

      SHA512

      29ae71aedc0db4340bf5dc40bbb9ec96685224d680e4486d185bbcdf740b50cf09171289704e8e381f6f6477939ffb096dd436dcd380a097ca2f63c972713e2c

      Download Submit

    • C:\Windows\SysWOW64\svchist.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/3396-18-0x0000000010000000-0x0000000010116000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3396-23-0x0000000000400000-0x0000000001467000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/3396-28-0x0000000000400000-0x0000000001467000-memory.dmp

      Filesize

      16.4MB

      Download