gh0strat | ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51

Analysis

max time kernel
146s
max time network
94s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 14:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
Size

183KB
MD5

eed406b84a1a317de2156d4504e2ccb8
SHA1

ec34ff31d0c9a659bd29e20a7bf5035e810ec4a8
SHA256

ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51
SHA512

fabe074d9bf738021b6542eeac341cbfb38a0b472f60be9f55a4853e3f9ef3b65f4f5e60634d95d6d8cb135de50e3a973f498a5b67096f9d3a5fa14ad13d4a39
SSDEEP

3072:rMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtRq:49MMmwzlqUHoeWofjjpAViY/lH6h+Evq

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/340-57-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/340-60-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXCC274A3C = "C:\\Windows\\XXXXXXCC274A3C\\svchsot.exe"	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXXCC274A3C\JH.BAT	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1232	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 764	340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe	28
PID 340 wrote to memory of 764	340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe	28
PID 340 wrote to memory of 764	340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe	28
PID 340 wrote to memory of 764	340	ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe	28
PID 764 wrote to memory of 1136	764	cmd.exe	30
PID 764 wrote to memory of 1136	764	cmd.exe	30
PID 764 wrote to memory of 1136	764	cmd.exe	30
PID 764 wrote to memory of 1136	764	cmd.exe	30
PID 764 wrote to memory of 1232	764	cmd.exe	31
PID 764 wrote to memory of 1232	764	cmd.exe	31
PID 764 wrote to memory of 1232	764	cmd.exe	31
PID 764 wrote to memory of 1232	764	cmd.exe	31
PID 764 wrote to memory of 1924	764	cmd.exe	32
PID 764 wrote to memory of 1924	764	cmd.exe	32
PID 764 wrote to memory of 1924	764	cmd.exe	32
PID 764 wrote to memory of 1924	764	cmd.exe	32
PID 1924 wrote to memory of 1916	1924	net.exe	33
PID 1924 wrote to memory of 1916	1924	net.exe	33
PID 1924 wrote to memory of 1916	1924	net.exe	33
PID 1924 wrote to memory of 1916	1924	net.exe	33
PID 764 wrote to memory of 1320	764	cmd.exe	34
PID 764 wrote to memory of 1320	764	cmd.exe	34
PID 764 wrote to memory of 1320	764	cmd.exe	34
PID 764 wrote to memory of 1320	764	cmd.exe	34
PID 764 wrote to memory of 1636	764	cmd.exe	35
PID 764 wrote to memory of 1636	764	cmd.exe	35
PID 764 wrote to memory of 1636	764	cmd.exe	35
PID 764 wrote to memory of 1636	764	cmd.exe	35
PID 764 wrote to memory of 2008	764	cmd.exe	36
PID 764 wrote to memory of 2008	764	cmd.exe	36
PID 764 wrote to memory of 2008	764	cmd.exe	36
PID 764 wrote to memory of 2008	764	cmd.exe	36
PID 764 wrote to memory of 808	764	cmd.exe	37
PID 764 wrote to memory of 808	764	cmd.exe	37
PID 764 wrote to memory of 808	764	cmd.exe	37
PID 764 wrote to memory of 808	764	cmd.exe	37
PID 764 wrote to memory of 920	764	cmd.exe	38
PID 764 wrote to memory of 920	764	cmd.exe	38
PID 764 wrote to memory of 920	764	cmd.exe	38
PID 764 wrote to memory of 920	764	cmd.exe	38
PID 764 wrote to memory of 2020	764	cmd.exe	39
PID 764 wrote to memory of 2020	764	cmd.exe	39
PID 764 wrote to memory of 2020	764	cmd.exe	39
PID 764 wrote to memory of 2020	764	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe
"C:\Users\Admin\AppData\Local\Temp\ae0c6d1571befe39d9cf99b7ef4dfd1eed17493d785984426cdc5b95156a6a51.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\XXXXXXCC274A3C\JH.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn * /f
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= auto
    3⤵
    - Launches sc.exe
    PID:1232
- - C:\Windows\SysWOW64\net.exe
    net start "Task Scheduler"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Task Scheduler"
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\at.exe
    At 0:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\at.exe
    At 1:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\at.exe
    At 2:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\at.exe
    At 3:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\at.exe
    At 4:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\at.exe
    At 5:00 C:\Windows\XXXXXXCC274A3C\svchsot.exe
    3⤵
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\XXXXXXCC274A3C\JH.BAT

Filesize
1KB

MD5
5aa64ddcd293a368b2992d48530cb0ea

SHA1
1eb6d53a6a5750bcea99a4b36d59d31cbe140791

SHA256
272d8c3f133c8bac70dbaa774a9b29c79a0264ea31ec165c1bd14690ec86e41c

SHA512
f05fb8742b8ff53cbbb74af7ab3024176708f99877f3d44097f8b4591ce486ca659463ecf16071b5b583ac116e398b8dc76659487a78f145ec3da2d483367a89

Download Submit
memory/340-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/340-55-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/340-57-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/340-60-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download