gh0strat | 6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795

Analysis

max time kernel
174s
max time network
59s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
Size

183KB
MD5

0e9ab48caf7bf7f3729f2f91c1803317
SHA1

78a80a1a117f9d7862ba4e0f84cdfc0ed73a498f
SHA256

6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795
SHA512

e2f24667296b82d90ba03a7adbb2d6fe1fd654d607082a22660a6a09a32938359ad353cb4bea4508552c97f4fe2b2c8a5dcd41cdf623af41dbda480f1ccf95a1
SSDEEP

3072:rMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtRu:49MMmwzlqUHoeWofjjpAViY/lH6h+Evu

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1420-57-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1420-60-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX255362BB = "C:\\Windows\\XXXXXX255362BB\\svchsot.exe"	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXX255362BB\JH.BAT	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2012	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1664	1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	28
PID 1420 wrote to memory of 1664	1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	28
PID 1420 wrote to memory of 1664	1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	28
PID 1420 wrote to memory of 1664	1420	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	28
PID 1664 wrote to memory of 936	1664	cmd.exe	30
PID 1664 wrote to memory of 936	1664	cmd.exe	30
PID 1664 wrote to memory of 936	1664	cmd.exe	30
PID 1664 wrote to memory of 936	1664	cmd.exe	30
PID 1664 wrote to memory of 2012	1664	cmd.exe	31
PID 1664 wrote to memory of 2012	1664	cmd.exe	31
PID 1664 wrote to memory of 2012	1664	cmd.exe	31
PID 1664 wrote to memory of 2012	1664	cmd.exe	31
PID 1664 wrote to memory of 1152	1664	cmd.exe	32
PID 1664 wrote to memory of 1152	1664	cmd.exe	32
PID 1664 wrote to memory of 1152	1664	cmd.exe	32
PID 1664 wrote to memory of 1152	1664	cmd.exe	32
PID 1152 wrote to memory of 1052	1152	net.exe	33
PID 1152 wrote to memory of 1052	1152	net.exe	33
PID 1152 wrote to memory of 1052	1152	net.exe	33
PID 1152 wrote to memory of 1052	1152	net.exe	33
PID 1664 wrote to memory of 1328	1664	cmd.exe	34
PID 1664 wrote to memory of 1328	1664	cmd.exe	34
PID 1664 wrote to memory of 1328	1664	cmd.exe	34
PID 1664 wrote to memory of 1328	1664	cmd.exe	34
PID 1664 wrote to memory of 1768	1664	cmd.exe	35
PID 1664 wrote to memory of 1768	1664	cmd.exe	35
PID 1664 wrote to memory of 1768	1664	cmd.exe	35
PID 1664 wrote to memory of 1768	1664	cmd.exe	35
PID 1664 wrote to memory of 988	1664	cmd.exe	36
PID 1664 wrote to memory of 988	1664	cmd.exe	36
PID 1664 wrote to memory of 988	1664	cmd.exe	36
PID 1664 wrote to memory of 988	1664	cmd.exe	36
PID 1664 wrote to memory of 1324	1664	cmd.exe	37
PID 1664 wrote to memory of 1324	1664	cmd.exe	37
PID 1664 wrote to memory of 1324	1664	cmd.exe	37
PID 1664 wrote to memory of 1324	1664	cmd.exe	37
PID 1664 wrote to memory of 1196	1664	cmd.exe	38
PID 1664 wrote to memory of 1196	1664	cmd.exe	38
PID 1664 wrote to memory of 1196	1664	cmd.exe	38
PID 1664 wrote to memory of 1196	1664	cmd.exe	38
PID 1664 wrote to memory of 288	1664	cmd.exe	39
PID 1664 wrote to memory of 288	1664	cmd.exe	39
PID 1664 wrote to memory of 288	1664	cmd.exe	39
PID 1664 wrote to memory of 288	1664	cmd.exe	39
PID 1664 wrote to memory of 1976	1664	cmd.exe	40
PID 1664 wrote to memory of 1976	1664	cmd.exe	40
PID 1664 wrote to memory of 1976	1664	cmd.exe	40
PID 1664 wrote to memory of 1976	1664	cmd.exe	40
PID 1664 wrote to memory of 1412	1664	cmd.exe	41
PID 1664 wrote to memory of 1412	1664	cmd.exe	41
PID 1664 wrote to memory of 1412	1664	cmd.exe	41
PID 1664 wrote to memory of 1412	1664	cmd.exe	41
PID 1664 wrote to memory of 1380	1664	cmd.exe	42
PID 1664 wrote to memory of 1380	1664	cmd.exe	42
PID 1664 wrote to memory of 1380	1664	cmd.exe	42
PID 1664 wrote to memory of 1380	1664	cmd.exe	42
PID 1664 wrote to memory of 1980	1664	cmd.exe	43
PID 1664 wrote to memory of 1980	1664	cmd.exe	43
PID 1664 wrote to memory of 1980	1664	cmd.exe	43
PID 1664 wrote to memory of 1980	1664	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
"C:\Users\Admin\AppData\Local\Temp\6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\XXXXXX255362BB\JH.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn * /f
    3⤵
    PID:936
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= auto
    3⤵
    - Launches sc.exe
    PID:2012
- - C:\Windows\SysWOW64\net.exe
    net start "Task Scheduler"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Task Scheduler"
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\at.exe
    At 0:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\at.exe
    At 1:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\at.exe
    At 2:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\at.exe
    At 3:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\at.exe
    At 4:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\at.exe
    At 5:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\at.exe
    At 6:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\at.exe
    At 7:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\at.exe
    At 8:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\at.exe
    At 9:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\XXXXXX255362BB\JH.BAT

Filesize
1KB

MD5
a459956fdedb90926695046bd26b58ac

SHA1
21e682ff1f95712d727b05fc941732e308e5413e

SHA256
126874685fccca502cc02eca6b77c62938f3049664ceb0efc57311c98ec9fe53

SHA512
5cfd5faa1ef154e1bdc501cc8fa2356d3c3f66664a8287f2af31402c7dc2107584a38efa8388e9f97a06e516f1892454578f0d07c91be29f372a2edfc8a35147

Download Submit
memory/1420-55-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1420-57-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1420-60-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1420-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download