gh0strat | 058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796

General

Target

058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe
Size

184KB
MD5

64a9f5490c661a2d937e74e8438ec410
SHA1

c8575892bd4c444c41152812a1049ed6b0a2f386
SHA256

058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796
SHA512

2859ae77e78288d7ecddd22983f3629f3c88138192e850c50bb4d29223ea943f18daf8c1d50cef2a0b4525f551f75b37c7ff6b2335fa8607f3cf3391a7090c6a
SSDEEP

3072:mtABk6WN1r8Vs6cYaOO/myZdZTX/WtuNs6G8uEea5IjX2mJoghtpmI+:GABk6WrVbm0XO9l8Xea5IjmmJZhtpmI

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000005c50-55.dat	family_gh0strat
behavioral1/files/0x0007000000005c50-56.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\ntfastuserswitchingcompatibility.dll"	058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe

Deletes itself 1 IoCs

pid	Process
1948	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll	058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1584	058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	1948	svchost.exe
Token: SeSecurityPrivilege	1948	svchost.exe
Token: SeSecurityPrivilege	1948	svchost.exe
Token: SeBackupPrivilege	1948	svchost.exe
Token: SeSecurityPrivilege	1948	svchost.exe
Token: SeBackupPrivilege	1948	svchost.exe
Token: SeSecurityPrivilege	1948	svchost.exe

C:\Users\Admin\AppData\Local\Temp\058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe
"C:\Users\Admin\AppData\Local\Temp\058944a26770fe4b060fea40a1e6c0e17c827fdfafe923fc1e71f79a9c957796.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
d4cfcd376c24ff7d997b197468ce7c1d

SHA1
fcf2b2a8644136f4a54aef94c65ccb55e769c5b3

SHA256
c3546ac1a386cf62c1298e904deb813d889bb9aa2c85f8ec127785fe3dbece99

SHA512
0515186f2d0c684994a51f0506afd3972d4fb99bf2decd5ce702d922a7f7a859a039f7b5f23414977cac45b83377502b7f8d2cb45ec922e882bf42a82bb30938

Download Submit
\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
d4cfcd376c24ff7d997b197468ce7c1d

SHA1
fcf2b2a8644136f4a54aef94c65ccb55e769c5b3

SHA256
c3546ac1a386cf62c1298e904deb813d889bb9aa2c85f8ec127785fe3dbece99

SHA512
0515186f2d0c684994a51f0506afd3972d4fb99bf2decd5ce702d922a7f7a859a039f7b5f23414977cac45b83377502b7f8d2cb45ec922e882bf42a82bb30938

Download Submit
memory/1584-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing