gh0strat | fe76f77d15f401a592f6fa149958f3dfa56c428f7fd15299cb54278fb2c66a22

Analysis

max time kernel
164s
max time network
167s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.exe
Size

107KB
MD5

9600799c1b9ef711c48967fe354ef57c
SHA1

10bbd5671d071c66e5a1c81d3f23b3be18d37f12
SHA256

1e8cb74780f21ae6c11504f04cf084acfc4ef6a73cfa12e3bb8ce423c55cdae3
SHA512

94037e08596bc60d8541b249a655b4aa16724727415a7672879699b29db0c70d1b3064cd20fd3cc50ae5ee2b1baf9d36b93b2f1f57a2afd5fcbbc2096210b1b3
SSDEEP

3072:Rt6XkomyxsPRRf9joJFWZCZ1UTpO2BAsq+Bxa/2CGwp4jqR:Rt6XkomyxsPDf5oJFWZUO82G57/2CGw5

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral21/memory/1004-55-0x0000000000400000-0x000000000041C000-memory.dmp	family_gh0strat
\Users\Admin\AppData\Local\Temp\7172910_ex.tmp	family_gh0strat
\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll	family_gh0strat
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityapi.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Drops file in Drivers directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

run.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityapi.dll"	run.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1912 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

run.exesvchost.exe

pid process

1004 run.exe
1912 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

run.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll run.exe

pid	process
1912	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll	run.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
592	taskkill.exe
540	taskkill.exe
1632	taskkill.exe
1852	taskkill.exe
1516	taskkill.exe
1740	taskkill.exe
1376	taskkill.exe
588	taskkill.exe
1068	taskkill.exe
1156	taskkill.exe
868	taskkill.exe
2040	taskkill.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

run.exesvchost.exe

pid	process
1004	run.exe
1004	run.exe
1004	run.exe
1004	run.exe
1004	run.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	592	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

run.exe

description	pid	process	target process
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 592	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 588	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1068	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 540	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1156	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 868	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 2040	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1516	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1740	1004	run.exe	taskkill.exe
PID 1004 wrote to memory of 1632	1004	run.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\run.exe
"C:\Users\Admin\AppData\Local\Temp\run.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im RSTray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im safeboxTray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im knownsvr.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ras.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im SuperKiller.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im RSTray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im safeboxTray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im knownsvr.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ras.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im SuperKiller.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityapi.dll

Filesize
94KB

MD5
f367dd4b6fc20d741cd21c6a2b80518b

SHA1
baff0abc969bca0844b702e631abd9ceb19aff57

SHA256
d00ebaa1008609f7d928cecf8b94177d068851242ba65e34e6a2870156039099

SHA512
a9b3ad778140bbdba95dbcb43b908e4bd9ba1e6ec81504daa80fc7f8f9ca67284d215c6f22cf2bc8557e52f6578b706ddcb37d859b18cfffdeed9d56ede14df9

Download Submit
\Users\Admin\AppData\Local\Temp\7172910_ex.tmp

Filesize
94KB

MD5
f374af232c26d1f0ec5abd91c96dd3ae

SHA1
ad1e83c561619cef274036362b7f5200477bcd5d

SHA256
1b4f8df782ebb60b7d2a4297fb12d72a06a1b9c5a80f7f3efd3c212d881e689a

SHA512
ac76d90eb9656135b773a1fa43a39ea8b84916f6a6d484a215f33f278419b2e1427bc7ab57ed31df2abf169bf222a3acd6e7df1ad935beeb22c95404ec69c0d5

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll

Filesize
94KB

MD5
f367dd4b6fc20d741cd21c6a2b80518b

SHA1
baff0abc969bca0844b702e631abd9ceb19aff57

SHA256
d00ebaa1008609f7d928cecf8b94177d068851242ba65e34e6a2870156039099

SHA512
a9b3ad778140bbdba95dbcb43b908e4bd9ba1e6ec81504daa80fc7f8f9ca67284d215c6f22cf2bc8557e52f6578b706ddcb37d859b18cfffdeed9d56ede14df9

Download Submit
memory/540-61-0x0000000000000000-mapping.dmp

Download
memory/588-59-0x0000000000000000-mapping.dmp

Download
memory/592-58-0x0000000000000000-mapping.dmp

Download
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/1004-56-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1004-57-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1004-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1068-60-0x0000000000000000-mapping.dmp

Download
memory/1156-62-0x0000000000000000-mapping.dmp

Download
memory/1376-77-0x0000000000000000-mapping.dmp

Download
memory/1516-72-0x0000000000000000-mapping.dmp

Download
memory/1632-75-0x0000000000000000-mapping.dmp

Download
memory/1740-73-0x0000000000000000-mapping.dmp

Download
memory/1852-78-0x0000000000000000-mapping.dmp

Download
memory/2040-71-0x0000000000000000-mapping.dmp

Download