gh0strat | aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5

Analysis

max time kernel
40s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
Size

107KB
MD5

460944f39dbfb5a0ba6e970ff38b7f70
SHA1

0dc8f066ea95aad962d85dcc8117e7484a43aeab
SHA256

aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5
SHA512

5cbbfea8bed2ef49b40ed58caf65f41ec1d2cb60b211c92624bf5633daaf3782fc728e64ace6feaa712fe61dffea942747b00e3cd1f232bec865836e4d466fb0
SSDEEP

3072:4FF90hq+Yc7Hf4oa5r5sojsj+oMy+FO/PqYY:49ycc7/4D95sqBFoP

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1652-57-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral1/memory/1652-60-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23A06C44 = "C:\\Windows\\23A06C44\\svchsot.exe"	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
Token: SeDebugPrivilege	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 372	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	24
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 384	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	4
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 420	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	3
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 464	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	2
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 480	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	1
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 488	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	23
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 584	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	5
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 660	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	22
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 724	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	21
PID 1652 wrote to memory of 792	1652	aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe	20

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:584
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:344
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1572
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1168
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1076
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1068
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:724
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe
  "C:\Users\Admin\AppData\Local\Temp\aee781b862d9d6727982d3757fad4bb1bc2f3f0cd3df4c8997cb92a51c642af5.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1652-57-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1652-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1652-60-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download