gh0strat | 79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13

Analysis

max time kernel
190s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe
Size

292KB
MD5

341429bd85a98b4301c16af5fa23e235
SHA1

58c6e39d02fabc8aeedc21b824fcb55aaa770630
SHA256

79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13
SHA512

03e2c067cde37b650469a7eb670e5d0e398e288158b73ef82c13b3c8f220e69f52b7fcd3b40a99fb89a458ac7b8ba1ed30292774cda98dd6775ec8cf7b6060c4
SSDEEP

6144:0sehzRFYGJAySZ9Llhb4b1gdupKo+0rWglLxJD:0rsGWZTSOupKo+jAF

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe	family_gh0strat
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

SO.Exe

pid process

2972 SO.Exe

pid	process
2972	SO.Exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SO.Exe

pid process

2972 SO.Exe

pid	process
2972	SO.Exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe

description	pid	process	target process
PID 1668 wrote to memory of 2972	1668	79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe	SO.Exe
PID 1668 wrote to memory of 2972	1668	79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe	SO.Exe
PID 1668 wrote to memory of 2972	1668	79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe	SO.Exe

C:\Users\Admin\AppData\Local\Temp\79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe
"C:\Users\Admin\AppData\Local\Temp\79df874b96c1f1b9a979636e90fb84763df74b81a124c7684a07d31916aa3f13.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
461KB

MD5
cb0db843a9fe8f09283593fb3e8ef054

SHA1
aab03444b0f1395eba09639f06a6706f2ae19dd6

SHA256
818a08a78b3a1c5d452952698d3210290ba9ec352bfb58e0b73df2f59b598775

SHA512
058f21d131956972124e47ffcb2a8bd9545054679c10275fdd110264a8d0110dd1ab02b67cdd56cb5ddef59f0de15ebc011a4af37bb5824ed9492e627ec313ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
461KB

MD5
cb0db843a9fe8f09283593fb3e8ef054

SHA1
aab03444b0f1395eba09639f06a6706f2ae19dd6

SHA256
818a08a78b3a1c5d452952698d3210290ba9ec352bfb58e0b73df2f59b598775

SHA512
058f21d131956972124e47ffcb2a8bd9545054679c10275fdd110264a8d0110dd1ab02b67cdd56cb5ddef59f0de15ebc011a4af37bb5824ed9492e627ec313ea

Download Submit
memory/2972-132-0x0000000000000000-mapping.dmp

Download