gh0strat | 95fd93f3c2eb0bc7bbff95fb4e1e1df48486e67e025c0ff96b94a0e17add140b

General

Target

a9ad72c409a9d0746fd59cc4d392d2b0.exe
Size

395KB
MD5

a9ad72c409a9d0746fd59cc4d392d2b0
SHA1

967bfc3d4980fd9a25002282119e36d87ff10be4
SHA256

95fd93f3c2eb0bc7bbff95fb4e1e1df48486e67e025c0ff96b94a0e17add140b
SHA512

40c67db8005b2621be9946e5d596cb09744f0caa1f617053bb8ab865e79836e8b029e700e2372120e00658829a01ad2cb0f6f7cb5441b48d63f807dcfaaa2b70
SSDEEP

6144:vGHc//////7hwTB9RZEtXYP3MLJD4Qfwp85PpuRcxIsLoDkUtefOlEwa8x:qc//////dwTDbEyPLQfN71LoDxeXQ

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e74b-141.dat	family_gh0strat
behavioral2/files/0x000400000001e74b-142.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
5036	buding.exe
3392	QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Loads dropped DLL 1 IoCs

pid	Process
1612	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uxbmcocwli	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\cynnp.pic	buding.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	5036	buding.exe
Token: SeRestorePrivilege	5036	buding.exe
Token: SeBackupPrivilege	5036	buding.exe
Token: SeRestorePrivilege	5036	buding.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeRestorePrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeSecurityPrivilege	1612	svchost.exe
Token: SeSecurityPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeSecurityPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeSecurityPrivilege	1612	svchost.exe
Token: SeBackupPrivilege	1612	svchost.exe
Token: SeRestorePrivilege	1612	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2736	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	76
PID 4288 wrote to memory of 2736	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	76
PID 4288 wrote to memory of 2736	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	76
PID 2736 wrote to memory of 5036	2736	cmd.exe	78
PID 2736 wrote to memory of 5036	2736	cmd.exe	78
PID 2736 wrote to memory of 5036	2736	cmd.exe	78
PID 4288 wrote to memory of 4388	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	79
PID 4288 wrote to memory of 4388	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	79
PID 4288 wrote to memory of 4388	4288	a9ad72c409a9d0746fd59cc4d392d2b0.exe	79
PID 4388 wrote to memory of 3392	4388	cmd.exe	81
PID 4388 wrote to memory of 3392	4388	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\a9ad72c409a9d0746fd59cc4d392d2b0.exe
"C:\Users\Admin\AppData\Local\Temp\a9ad72c409a9d0746fd59cc4d392d2b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\buding.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\buding.exe
    C:\Users\Admin\AppData\Local\Temp\buding.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe
    C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe
    3⤵
    - Executes dropped EXE
    PID:3392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "netsvcs" -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\cynnp.pic

Filesize
2.0MB

MD5
e7351d3d65f63b2f15b596d7f123eb22

SHA1
18d5633c2a03e7cbaf5f44a633fad15203e28207

SHA256
1ff74e0fde80c9d8fa2ee30994afc122c0f6bb5eb98642e9f7eee5563eca9bf1

SHA512
c55ee6aa822202aba810d8f2e5e8d63252591356f109841f2e06c13c31e14bfe44f1493a46351e6b8f8ce69d76f642f750b0f1b2502c9dfdcb4c0148cd9a7862

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¼ÓÃÜ¿Õ¼äÏà²á²é¿´.exe

Filesize
288KB

MD5
bbaf5d3072afae0e6d313cfefab6c859

SHA1
32038b37d8e9da7371dde4002a71239872314aac

SHA256
48bcc4d510d3b59da489a395d806c6d3e51d84ba1a6731fa23d8881a87b84bb5

SHA512
d9768ddaa0d88f36644ac8005c21c189e14fec92823f34b536c6b32a5c92cfbaf9d0428a8e84a1779458e17546acce19d722d914525879a0c0eadb7a87f9bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\buding.exe

Filesize
192KB

MD5
a435fb7317105acc306f2a25a88c9225

SHA1
1a6aac6f8b131ee09b46df5d042bfa0573afb9bd

SHA256
462165791700307f16f40056c9d09b7e3ebed01a5bb800fd0c68cb8b5e50e769

SHA512
67e64b60245859528160e9664a2d8d2ced0d043a977cbe93764bbde621dcf76def9bdc99f725d7d984e62468c7baaa06988f34add8d9a46b95819bd4646bc7f6

Download Submit
\??\c:\progra~2\google\cynnp.pic

Filesize
2.0MB

MD5
e7351d3d65f63b2f15b596d7f123eb22

SHA1
18d5633c2a03e7cbaf5f44a633fad15203e28207

SHA256
1ff74e0fde80c9d8fa2ee30994afc122c0f6bb5eb98642e9f7eee5563eca9bf1

SHA512
c55ee6aa822202aba810d8f2e5e8d63252591356f109841f2e06c13c31e14bfe44f1493a46351e6b8f8ce69d76f642f750b0f1b2502c9dfdcb4c0148cd9a7862

Download Submit
memory/3392-140-0x00007FF89FB70000-0x00007FF8A05A6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing