gh0strat | aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
Size

421KB
MD5

2261d59f9efdae722af0fd70cd8cd1a4
SHA1

6f0efc457d24bcaaca6eff311cf617ba6372bec1
SHA256

aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea
SHA512

dafa7538e49ee09cf42eb8fb2343fc6fc6bd28205400ea0319864d63fe1a7f5ced12bf2db675e3ddaa88471c1cd3aa877e8e46eb88477feb90abbc0399794e85
SSDEEP

12288:EfnnK9zABs+TbFx9SXOPCf8DkqAR8zH6eS2f/LDloXMWQ:EfK9zUHFpi8/cSLDqXG

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122f9-55.dat	family_gh0strat
behavioral1/files/0x000a0000000122f9-57.dat	family_gh0strat
behavioral1/files/0x000a0000000122f9-58.dat	family_gh0strat
behavioral1/files/0x000a0000000122f9-62.dat	family_gh0strat
behavioral1/files/0x000a0000000122f9-61.dat	family_gh0strat
behavioral1/files/0x000a0000000122f9-60.dat	family_gh0strat
behavioral1/files/0x000c000000012318-64.dat	family_gh0strat
behavioral1/files/0x000a000000005c51-67.dat	family_gh0strat
behavioral1/files/0x000c000000012318-65.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
884	SetUpdate.exe
584	SetOpenIt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-63-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2028-73-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
884	SetUpdate.exe
884	SetUpdate.exe
884	SetUpdate.exe
560	svchost.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2028-63-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe
behavioral1/memory/2028-73-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	SetUpdate.exe
File created	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	SetUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	884	SetUpdate.exe
Token: SeRestorePrivilege	884	SetUpdate.exe
Token: SeBackupPrivilege	884	SetUpdate.exe
Token: SeRestorePrivilege	884	SetUpdate.exe
Token: SeBackupPrivilege	884	SetUpdate.exe
Token: SeRestorePrivilege	884	SetUpdate.exe
Token: SeBackupPrivilege	884	SetUpdate.exe
Token: SeRestorePrivilege	884	SetUpdate.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 884	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	27
PID 2028 wrote to memory of 584	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	29
PID 2028 wrote to memory of 584	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	29
PID 2028 wrote to memory of 584	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	29
PID 2028 wrote to memory of 584	2028	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	29

C:\Users\Admin\AppData\Local\Temp\aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
"C:\Users\Admin\AppData\Local\Temp\aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe
  C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe
  2⤵
  - Executes dropped EXE
  PID:584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe

Filesize
44KB

MD5
f17c7275862a93b47490b89dc21c7db3

SHA1
1339dad9d0bd9edaeaac321ec06062195fe6c12c

SHA256
01f988b28de9af7db79c13d0a3bba4c45793e99da0c513b66a5ae6c8ca57c81c

SHA512
3874c419c9199fba65a9d179f9db83ba2fa2fd1fbead89515b448eb8af5e794463feee5dad060a3fb7f565e30a08f60fcd887c7080aa192f6eb7687fc398cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
C:\\563000.dll

Filesize
133KB

MD5
afacd97bd81ef689a3e845528aac684a

SHA1
ad644228a43add0d20d90424c24f822f8b8e0a9d

SHA256
f8112457c5f1dd0be10622abd1526494541630ca8174de53802ea13b5ea84087

SHA512
0dddb4341cfb121dc6c04bc1c84c7c98960eaefd280cb6d200cc3cfb739d35d803a33415e834ebffc6f319cddc5c871ebb1a38c089db0ad64d2b038baac142a3

Download Submit
C:\\NT_Path.jpg

Filesize
61B

MD5
6d07c737f72c81a7fd96f0fb24f78893

SHA1
d59c02a3e4fdc7e3c5444cd21c24a87681f36a16

SHA256
94b1ec6afba6259e396709422a9e7e1afd70371e483259329bed826c9ee60db4

SHA512
aca735eff2bdadadf4da9cec11bb1a15cb208b602e21ff24caa2d435debb60397abe53f9d9174e6350b64e13401716795d1769dcba6bcd755d152b0ca801dad1

Download Submit
\??\c:\program files (x86)\common files\setting update\setupdate.pic

Filesize
13.8MB

MD5
018dc74fa8c59e8ece68c53d2788a8d9

SHA1
21544de80de9336c69ed54aa21e7c7f712cd3fcc

SHA256
f31e160733b3d24f3fac13a559aec9490caefe6df0fa4286fd7c368ff5fe5b41

SHA512
490fbd328b5d151983807433155fbc1faa6c2e6937763e8c8cfcb142416d8eb34707446a9a15bdba7fb4ff9ea4e925318d58438cf0f41cf93e4914fd3826005a

Download Submit
\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic

Filesize
13.8MB

MD5
018dc74fa8c59e8ece68c53d2788a8d9

SHA1
21544de80de9336c69ed54aa21e7c7f712cd3fcc

SHA256
f31e160733b3d24f3fac13a559aec9490caefe6df0fa4286fd7c368ff5fe5b41

SHA512
490fbd328b5d151983807433155fbc1faa6c2e6937763e8c8cfcb142416d8eb34707446a9a15bdba7fb4ff9ea4e925318d58438cf0f41cf93e4914fd3826005a

Download Submit
\Users\Admin\AppData\Local\Temp\SetOpenIt.exe

Filesize
44KB

MD5
f17c7275862a93b47490b89dc21c7db3

SHA1
1339dad9d0bd9edaeaac321ec06062195fe6c12c

SHA256
01f988b28de9af7db79c13d0a3bba4c45793e99da0c513b66a5ae6c8ca57c81c

SHA512
3874c419c9199fba65a9d179f9db83ba2fa2fd1fbead89515b448eb8af5e794463feee5dad060a3fb7f565e30a08f60fcd887c7080aa192f6eb7687fc398cf22

Download Submit
\Users\Admin\AppData\Local\Temp\SetOpenIt.exe

Filesize
44KB

MD5
f17c7275862a93b47490b89dc21c7db3

SHA1
1339dad9d0bd9edaeaac321ec06062195fe6c12c

SHA256
01f988b28de9af7db79c13d0a3bba4c45793e99da0c513b66a5ae6c8ca57c81c

SHA512
3874c419c9199fba65a9d179f9db83ba2fa2fd1fbead89515b448eb8af5e794463feee5dad060a3fb7f565e30a08f60fcd887c7080aa192f6eb7687fc398cf22

Download Submit
\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
memory/2028-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/2028-63-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-73-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download