gh0strat | aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea

Analysis

max time kernel
190s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
Size

421KB
MD5

2261d59f9efdae722af0fd70cd8cd1a4
SHA1

6f0efc457d24bcaaca6eff311cf617ba6372bec1
SHA256

aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea
SHA512

dafa7538e49ee09cf42eb8fb2343fc6fc6bd28205400ea0319864d63fe1a7f5ced12bf2db675e3ddaa88471c1cd3aa877e8e46eb88477feb90abbc0399794e85
SSDEEP

12288:EfnnK9zABs+TbFx9SXOPCf8DkqAR8zH6eS2f/LDloXMWQ:EfK9zUHFpi8/cSLDqXG

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e45-134.dat	family_gh0strat
behavioral2/files/0x0007000000022e45-135.dat	family_gh0strat
behavioral2/files/0x000b000000022e3a-137.dat	family_gh0strat
behavioral2/files/0x000e000000022e20-138.dat	family_gh0strat
behavioral2/files/0x000e000000022e20-139.dat	family_gh0strat
behavioral2/files/0x000b000000022e3a-141.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
3892	SetUpdate.exe
4628	SetOpenIt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-132-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/5052-136-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
3892	SetUpdate.exe
2932	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5052-136-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	SetUpdate.exe
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic	SetUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3892	SetUpdate.exe
Token: SeRestorePrivilege	3892	SetUpdate.exe
Token: SeBackupPrivilege	3892	SetUpdate.exe
Token: SeRestorePrivilege	3892	SetUpdate.exe
Token: SeBackupPrivilege	3892	SetUpdate.exe
Token: SeRestorePrivilege	3892	SetUpdate.exe
Token: SeBackupPrivilege	3892	SetUpdate.exe
Token: SeRestorePrivilege	3892	SetUpdate.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3892	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	83
PID 5052 wrote to memory of 3892	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	83
PID 5052 wrote to memory of 3892	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	83
PID 5052 wrote to memory of 4628	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	97
PID 5052 wrote to memory of 4628	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	97
PID 5052 wrote to memory of 4628	5052	aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe	97

C:\Users\Admin\AppData\Local\Temp\aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe
"C:\Users\Admin\AppData\Local\Temp\aa041fb6e92bf8da551b760fbd8e4048d1bf1069a4d0e9f6dfb683a2908147ea.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe
  C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe
  2⤵
  - Executes dropped EXE
  PID:4628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1361100.dll

Filesize
133KB

MD5
afacd97bd81ef689a3e845528aac684a

SHA1
ad644228a43add0d20d90424c24f822f8b8e0a9d

SHA256
f8112457c5f1dd0be10622abd1526494541630ca8174de53802ea13b5ea84087

SHA512
0dddb4341cfb121dc6c04bc1c84c7c98960eaefd280cb6d200cc3cfb739d35d803a33415e834ebffc6f319cddc5c871ebb1a38c089db0ad64d2b038baac142a3

Download Submit
C:\Program Files (x86)\Common Files\Setting Update\SetUpdate.pic

Filesize
10.5MB

MD5
9e544da63b09740b7e3421684d0f8b52

SHA1
9b3e79a67795d7530743fbabf5fb469b8b90dd32

SHA256
f672e80fa6e7ac42c747b12c4ae6ad2c1dfe5706bf960965e060d402be0deab4

SHA512
6958a70e648a0266385d62662b0ae976d8815393419ecc5a33172bdb7f6f87488f51768da571b59995dae3f64edba3830c47b9dcaca18239f86e254213874a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe

Filesize
44KB

MD5
f17c7275862a93b47490b89dc21c7db3

SHA1
1339dad9d0bd9edaeaac321ec06062195fe6c12c

SHA256
01f988b28de9af7db79c13d0a3bba4c45793e99da0c513b66a5ae6c8ca57c81c

SHA512
3874c419c9199fba65a9d179f9db83ba2fa2fd1fbead89515b448eb8af5e794463feee5dad060a3fb7f565e30a08f60fcd887c7080aa192f6eb7687fc398cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetOpenIt.exe

Filesize
44KB

MD5
f17c7275862a93b47490b89dc21c7db3

SHA1
1339dad9d0bd9edaeaac321ec06062195fe6c12c

SHA256
01f988b28de9af7db79c13d0a3bba4c45793e99da0c513b66a5ae6c8ca57c81c

SHA512
3874c419c9199fba65a9d179f9db83ba2fa2fd1fbead89515b448eb8af5e794463feee5dad060a3fb7f565e30a08f60fcd887c7080aa192f6eb7687fc398cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetUpdate.exe

Filesize
139KB

MD5
a9bc7fda0b030f2eb62eca75df58705d

SHA1
04f7cdaa4b4fde9073cbbfef8ce70a966e0e053e

SHA256
fe37020f386a560cc03a807af5882f67a10bc30c9937bda9df89749f73cca346

SHA512
d45dafb879161d2169fb31c6c64a55a8c96f012e21e7432425b90e114513755b3dec023a870918b754a7a624c9a81bd329e295a3378732bd11cf899ecfd7ebf9

Download Submit
C:\\1361100.dll

Filesize
133KB

MD5
afacd97bd81ef689a3e845528aac684a

SHA1
ad644228a43add0d20d90424c24f822f8b8e0a9d

SHA256
f8112457c5f1dd0be10622abd1526494541630ca8174de53802ea13b5ea84087

SHA512
0dddb4341cfb121dc6c04bc1c84c7c98960eaefd280cb6d200cc3cfb739d35d803a33415e834ebffc6f319cddc5c871ebb1a38c089db0ad64d2b038baac142a3

Download Submit
C:\\NT_Path.jpg

Filesize
62B

MD5
29fd8ba9cd247388a204fab32ee72eb1

SHA1
2a8fc3763ab2a79e40df04ee90f6876ab42d62af

SHA256
bb969109d12d0aa59745c53530970e848c07ee7eae20327c12977f4722ca7eda

SHA512
d8cd6c7d5f59cd791756dddabcec1f07fc9115d1f9e72a95a3b7268277846f1b4ed653775a0da945a01f49c7219419967e6a65cc11a908b8ae9dcc3a864f37ef

Download Submit
\??\c:\program files (x86)\common files\setting update\setupdate.pic

Filesize
10.5MB

MD5
9e544da63b09740b7e3421684d0f8b52

SHA1
9b3e79a67795d7530743fbabf5fb469b8b90dd32

SHA256
f672e80fa6e7ac42c747b12c4ae6ad2c1dfe5706bf960965e060d402be0deab4

SHA512
6958a70e648a0266385d62662b0ae976d8815393419ecc5a33172bdb7f6f87488f51768da571b59995dae3f64edba3830c47b9dcaca18239f86e254213874a87

Download Submit
memory/5052-132-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/5052-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download