gh0strat | 95fd93f3c2eb0bc7bbff95fb4e1e1df48486e67e025c0ff96b94a0e17add140b

Analysis

max time kernel
128s
max time network
118s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/12/2022, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ad72c409a9d0746fd59cc4d392d2b0.exe
Size

395KB
MD5

a9ad72c409a9d0746fd59cc4d392d2b0
SHA1

967bfc3d4980fd9a25002282119e36d87ff10be4
SHA256

95fd93f3c2eb0bc7bbff95fb4e1e1df48486e67e025c0ff96b94a0e17add140b
SHA512

40c67db8005b2621be9946e5d596cb09744f0caa1f617053bb8ab865e79836e8b029e700e2372120e00658829a01ad2cb0f6f7cb5441b48d63f807dcfaaa2b70
SSDEEP

6144:vGHc//////7hwTB9RZEtXYP3MLJD4Qfwp85PpuRcxIsLoDkUtefOlEwa8x:qc//////dwTDbEyPLQfN71LoDxeXQ

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001232f-71.dat	family_gh0strat
behavioral1/files/0x000a00000001232f-72.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1068	buding.exe
1240	QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Loads dropped DLL 7 IoCs

pid	Process
1992	cmd.exe
1068	buding.exe
1068	buding.exe
1068	buding.exe
2016	cmd.exe
2016	cmd.exe
760	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uxbmcocwli	svchost.exe
File created	C:\Windows\SysWOW64\ugogkreuxe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\dpjor.pic	buding.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
760	svchost.exe
760	svchost.exe
760	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	1068	buding.exe
Token: SeRestorePrivilege	1068	buding.exe
Token: SeBackupPrivilege	1068	buding.exe
Token: SeRestorePrivilege	1068	buding.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeSecurityPrivilege	760	svchost.exe
Token: SeSecurityPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeSecurityPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeSecurityPrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1992	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	28
PID 964 wrote to memory of 1992	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	28
PID 964 wrote to memory of 1992	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	28
PID 964 wrote to memory of 1992	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	28
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 1992 wrote to memory of 1068	1992	cmd.exe	30
PID 964 wrote to memory of 2016	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	31
PID 964 wrote to memory of 2016	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	31
PID 964 wrote to memory of 2016	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	31
PID 964 wrote to memory of 2016	964	a9ad72c409a9d0746fd59cc4d392d2b0.exe	31
PID 2016 wrote to memory of 1240	2016	cmd.exe	33
PID 2016 wrote to memory of 1240	2016	cmd.exe	33
PID 2016 wrote to memory of 1240	2016	cmd.exe	33
PID 2016 wrote to memory of 1240	2016	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a9ad72c409a9d0746fd59cc4d392d2b0.exe
"C:\Users\Admin\AppData\Local\Temp\a9ad72c409a9d0746fd59cc4d392d2b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\buding.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\buding.exe
    C:\Users\Admin\AppData\Local\Temp\buding.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe
    C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe
    3⤵
    - Executes dropped EXE
    PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "netsvcs"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
\??\c:\progra~2\google\dpjor.pic

Filesize
576KB

MD5
7762603e9ce4922dcb3b6f91e7580577

SHA1
08ee4db715ebe9b9817c906f59d2bc4a7f766083

SHA256
e9a0de91c50a96349f1f33aea422199f14d644e8573780ff53b076d1ca19be6d

SHA512
0a44b4e0269433cad04336ac83d07ffcde6eae80edf190e212bc8a12e6f404911f4a3aa9430760917b74b412be89aedffd66b0d79512ebd8953dbf3722515070

Download Submit
\PROGRA~2\Google\dpjor.pic

Filesize
576KB

MD5
7762603e9ce4922dcb3b6f91e7580577

SHA1
08ee4db715ebe9b9817c906f59d2bc4a7f766083

SHA256
e9a0de91c50a96349f1f33aea422199f14d644e8573780ff53b076d1ca19be6d

SHA512
0a44b4e0269433cad04336ac83d07ffcde6eae80edf190e212bc8a12e6f404911f4a3aa9430760917b74b412be89aedffd66b0d79512ebd8953dbf3722515070

Download Submit
\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
memory/1068-59-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1240-69-0x000007FEF4B20000-0x000007FEF5543000-memory.dmp

Filesize
10.1MB

Download
memory/1240-70-0x000007FEF3A80000-0x000007FEF4B16000-memory.dmp

Filesize
16.6MB

Download
memory/1240-74-0x00000000020D6000-0x00000000020F5000-memory.dmp

Filesize
124KB

Download