Overview

overview

10

Static

static

3

关于公�...��.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    97s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/03/2025, 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    关于公司人事调整通知!.exe

  • Size

    211KB

  • MD5

    c104dce7ac77b6154e5235e8bf0ecd19

  • SHA1

    64d2165f1ecb6c68358592c65e29caf68937386a

  • SHA256

    e41b8ea141681fb21c0a4bcf6af20529249e1637a3af9f46a68899e8e39f1b86

  • SHA512

    249d4f5e8c3475a9bb4a735eca8c47c8758470645a43ebaf3899c2f30d2c79a293064ee563dfe7c3a54d3c24daaa28128cd9df10a6b74bd1b9cf562e388be744

  • SSDEEP

    3072:dRsxM0KfuUfBbG6996HM0XU+aDe5UEGJSKz7ccRJMM3Ojl5My3LSEA0QchHnNt4f:dOzSG6hn+aCyIK3ccnMxjRA0Qchtivn

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\关于公司人事调整通知!.exe
    "C:\Users\Admin\AppData\Local\Temp\关于公司人事调整通知!.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:4396
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:232
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1888
    • C:\Users\Admin\AppData\Local\Temp\关于公司人事调整通知!.exe
      "C:\Users\Admin\AppData\Local\Temp\关于公司人事调整通知!.exe"
      1⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 464
        2⤵
        • Program crash
        PID:5092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4700 -ip 4700
      1⤵
        PID:992
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /0
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3116
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\system32\NETSTAT.EXE
          netstat -ano
          2⤵
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:4972

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3116-78-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-77-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-76-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-87-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-82-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-83-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-84-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-85-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3116-86-0x0000025C4E870000-0x0000025C4E871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-34-0x00000000025A0000-0x00000000025A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-22-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-21-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-20-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-19-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-18-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-17-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-16-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-15-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-14-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-13-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-12-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-10-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-11-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-7-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-6-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-3-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-2-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-9-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-36-0x0000000002580000-0x0000000002581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-35-0x0000000002590000-0x0000000002591000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-27-0x0000000002490000-0x0000000002491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-33-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-32-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-31-0x0000000002570000-0x0000000002571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-26-0x00000000025F0000-0x00000000025F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-37-0x0000000010000000-0x0000000010009000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4396-40-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

        Download

      • memory/4396-41-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-42-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-55-0x0000000002490000-0x0000000002491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-54-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-53-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-52-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-51-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-50-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-49-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-48-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-47-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-46-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-45-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-44-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-43-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-56-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-62-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-61-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-60-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-24-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-8-0x0000000002550000-0x0000000002553000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4396-1-0x0000000002560000-0x0000000002561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-0-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

        Download

      • memory/4396-59-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-58-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4396-57-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4700-67-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

        Download

      • memory/4700-74-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

        Download