gh0strat | 6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795

Analysis

max time kernel
189s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
Size

183KB
MD5

0e9ab48caf7bf7f3729f2f91c1803317
SHA1

78a80a1a117f9d7862ba4e0f84cdfc0ed73a498f
SHA256

6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795
SHA512

e2f24667296b82d90ba03a7adbb2d6fe1fd654d607082a22660a6a09a32938359ad353cb4bea4508552c97f4fe2b2c8a5dcd41cdf623af41dbda480f1ccf95a1
SSDEEP

3072:rMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtRu:49MMmwzlqUHoeWofjjpAViY/lH6h+Evu

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/976-134-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/976-135-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/976-138-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX255362BB = "C:\\Windows\\XXXXXX255362BB\\svchsot.exe"	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Default	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXX255362BB\JH.BAT	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5048	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4412	976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	82
PID 976 wrote to memory of 4412	976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	82
PID 976 wrote to memory of 4412	976	6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe	82
PID 4412 wrote to memory of 1656	4412	cmd.exe	84
PID 4412 wrote to memory of 1656	4412	cmd.exe	84
PID 4412 wrote to memory of 1656	4412	cmd.exe	84
PID 4412 wrote to memory of 5048	4412	cmd.exe	85
PID 4412 wrote to memory of 5048	4412	cmd.exe	85
PID 4412 wrote to memory of 5048	4412	cmd.exe	85
PID 4412 wrote to memory of 2520	4412	cmd.exe	86
PID 4412 wrote to memory of 2520	4412	cmd.exe	86
PID 4412 wrote to memory of 2520	4412	cmd.exe	86
PID 2520 wrote to memory of 4328	2520	net.exe	87
PID 2520 wrote to memory of 4328	2520	net.exe	87
PID 2520 wrote to memory of 4328	2520	net.exe	87
PID 4412 wrote to memory of 2064	4412	cmd.exe	88
PID 4412 wrote to memory of 2064	4412	cmd.exe	88
PID 4412 wrote to memory of 2064	4412	cmd.exe	88
PID 4412 wrote to memory of 3636	4412	cmd.exe	89
PID 4412 wrote to memory of 3636	4412	cmd.exe	89
PID 4412 wrote to memory of 3636	4412	cmd.exe	89
PID 4412 wrote to memory of 3596	4412	cmd.exe	90
PID 4412 wrote to memory of 3596	4412	cmd.exe	90
PID 4412 wrote to memory of 3596	4412	cmd.exe	90
PID 4412 wrote to memory of 4592	4412	cmd.exe	91
PID 4412 wrote to memory of 4592	4412	cmd.exe	91
PID 4412 wrote to memory of 4592	4412	cmd.exe	91
PID 4412 wrote to memory of 4544	4412	cmd.exe	92
PID 4412 wrote to memory of 4544	4412	cmd.exe	92
PID 4412 wrote to memory of 4544	4412	cmd.exe	92
PID 4412 wrote to memory of 2772	4412	cmd.exe	93
PID 4412 wrote to memory of 2772	4412	cmd.exe	93
PID 4412 wrote to memory of 2772	4412	cmd.exe	93
PID 4412 wrote to memory of 5072	4412	cmd.exe	94
PID 4412 wrote to memory of 5072	4412	cmd.exe	94
PID 4412 wrote to memory of 5072	4412	cmd.exe	94
PID 4412 wrote to memory of 4408	4412	cmd.exe	95
PID 4412 wrote to memory of 4408	4412	cmd.exe	95
PID 4412 wrote to memory of 4408	4412	cmd.exe	95
PID 4412 wrote to memory of 3520	4412	cmd.exe	96
PID 4412 wrote to memory of 3520	4412	cmd.exe	96
PID 4412 wrote to memory of 3520	4412	cmd.exe	96
PID 4412 wrote to memory of 2704	4412	cmd.exe	97
PID 4412 wrote to memory of 2704	4412	cmd.exe	97
PID 4412 wrote to memory of 2704	4412	cmd.exe	97
PID 4412 wrote to memory of 1936	4412	cmd.exe	98
PID 4412 wrote to memory of 1936	4412	cmd.exe	98
PID 4412 wrote to memory of 1936	4412	cmd.exe	98
PID 4412 wrote to memory of 3164	4412	cmd.exe	99
PID 4412 wrote to memory of 3164	4412	cmd.exe	99
PID 4412 wrote to memory of 3164	4412	cmd.exe	99
PID 4412 wrote to memory of 3984	4412	cmd.exe	100
PID 4412 wrote to memory of 3984	4412	cmd.exe	100
PID 4412 wrote to memory of 3984	4412	cmd.exe	100
PID 4412 wrote to memory of 4940	4412	cmd.exe	101
PID 4412 wrote to memory of 4940	4412	cmd.exe	101
PID 4412 wrote to memory of 4940	4412	cmd.exe	101
PID 4412 wrote to memory of 4852	4412	cmd.exe	102
PID 4412 wrote to memory of 4852	4412	cmd.exe	102
PID 4412 wrote to memory of 4852	4412	cmd.exe	102
PID 4412 wrote to memory of 3496	4412	cmd.exe	103
PID 4412 wrote to memory of 3496	4412	cmd.exe	103
PID 4412 wrote to memory of 3496	4412	cmd.exe	103
PID 4412 wrote to memory of 1480	4412	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe
"C:\Users\Admin\AppData\Local\Temp\6bdb1cc96bca039874ff0d3a2ff3a8bd02a46e9fc55a38ba930d70792dfed795.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\XXXXXX255362BB\JH.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn * /f
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= auto
    3⤵
    - Launches sc.exe
    PID:5048
- - C:\Windows\SysWOW64\net.exe
    net start "Task Scheduler"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Task Scheduler"
      4⤵
      PID:4328
- - C:\Windows\SysWOW64\at.exe
    At 0:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\at.exe
    At 1:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\at.exe
    At 2:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\at.exe
    At 3:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\at.exe
    At 4:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\at.exe
    At 5:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\at.exe
    At 6:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\at.exe
    At 7:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\at.exe
    At 8:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\at.exe
    At 9:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\at.exe
    At 10:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\at.exe
    At 11:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\at.exe
    At 12:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\at.exe
    At 13:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\at.exe
    At 14:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\at.exe
    At 15:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\at.exe
    At 16:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\at.exe
    At 17:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\at.exe
    At 18:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\at.exe
    At 19:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\at.exe
    At 20:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\at.exe
    At 21:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\at.exe
    At 22:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\at.exe
    At 23:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:924
- - C:\Windows\SysWOW64\at.exe
    At 24:00 C:\Windows\XXXXXX255362BB\svchsot.exe
    3⤵
    PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\XXXXXX255362BB\JH.BAT

Filesize
1KB

MD5
a459956fdedb90926695046bd26b58ac

SHA1
21e682ff1f95712d727b05fc941732e308e5413e

SHA256
126874685fccca502cc02eca6b77c62938f3049664ceb0efc57311c98ec9fe53

SHA512
5cfd5faa1ef154e1bdc501cc8fa2356d3c3f66664a8287f2af31402c7dc2107584a38efa8388e9f97a06e516f1892454578f0d07c91be29f372a2edfc8a35147

Download Submit
memory/976-134-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/976-135-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/976-132-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/976-138-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download