gh0strat | d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4556a9aecff592f6ce5ccb38723d498b.exe
Size

1.8MB
MD5

4556a9aecff592f6ce5ccb38723d498b
SHA1

45597783669da932fa11e1c2e1333a857fe05f5c
SHA256

d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
SHA512

be99d996cae9271224670fe01a7c6f6bc798a17ab50f23efc038c26577befc5da5097e17f662ca3c9d84b8ad7c7642074014b88aea3c194623d274a84a3b0441
SSDEEP

49152:B/6YE7aZtS/kgvSS3z5vMU671vvI6ALDbk7E:67EGj3dMUKODn

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/4108-252-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/4108-261-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/4108-264-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/3652-305-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/3652-306-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/4108-308-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	4556a9aecff592f6ce5ccb38723d498b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
2804	Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe
2204	server.exe
4108	._cache_server.exe
988	Synaptics.exe
3652	._cache_Synaptics.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x000b00000002312f-139.dat	upx
behavioral2/files/0x000b00000002312f-147.dat	upx
behavioral2/memory/2732-156-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x000b00000002312f-146.dat	upx
behavioral2/memory/2804-157-0x0000000000400000-0x0000000000AD9000-memory.dmp	upx
behavioral2/memory/2804-307-0x0000000000400000-0x0000000000AD9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	._cache_server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DF1AD095 = "C:\\Windows\\DF1AD095\\svchsot.exe"	._cache_server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DF1AD095\svchsot.exe	._cache_server.exe
File opened for modification	C:\Windows\DF1AD095\svchsot.exe	._cache_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_server.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
4108	._cache_server.exe
3652	._cache_Synaptics.exe
3652	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	._cache_server.exe
Token: SeDebugPrivilege	4108	._cache_server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2804	2732	4556a9aecff592f6ce5ccb38723d498b.exe	86
PID 2732 wrote to memory of 2804	2732	4556a9aecff592f6ce5ccb38723d498b.exe	86
PID 2732 wrote to memory of 2804	2732	4556a9aecff592f6ce5ccb38723d498b.exe	86
PID 2732 wrote to memory of 2204	2732	4556a9aecff592f6ce5ccb38723d498b.exe	87
PID 2732 wrote to memory of 2204	2732	4556a9aecff592f6ce5ccb38723d498b.exe	87
PID 2732 wrote to memory of 2204	2732	4556a9aecff592f6ce5ccb38723d498b.exe	87
PID 2204 wrote to memory of 4108	2204	server.exe	88
PID 2204 wrote to memory of 4108	2204	server.exe	88
PID 2204 wrote to memory of 4108	2204	server.exe	88
PID 2204 wrote to memory of 988	2204	server.exe	89
PID 2204 wrote to memory of 988	2204	server.exe	89
PID 2204 wrote to memory of 988	2204	server.exe	89
PID 4108 wrote to memory of 4828	4108	._cache_server.exe	90
PID 4108 wrote to memory of 4828	4108	._cache_server.exe	90
PID 4108 wrote to memory of 4828	4108	._cache_server.exe	90
PID 4828 wrote to memory of 3936	4828	net.exe	92
PID 4828 wrote to memory of 3936	4828	net.exe	92
PID 4828 wrote to memory of 3936	4828	net.exe	92
PID 988 wrote to memory of 3652	988	Synaptics.exe	93
PID 988 wrote to memory of 3652	988	Synaptics.exe	93
PID 988 wrote to memory of 3652	988	Synaptics.exe	93

C:\Users\Admin\AppData\Local\Temp\4556a9aecff592f6ce5ccb38723d498b.exe
"C:\Users\Admin\AppData\Local\Temp\4556a9aecff592f6ce5ccb38723d498b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\Temp\Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\._cache_server.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:3936
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
833KB

MD5
c7f4a82454c0303ac4223af00201caf9

SHA1
8216b06d213f8032c7a762292e41d23d0cce7010

SHA256
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5

SHA512
a0e549f3728f28d14c4c2d333caededdb02125f5b9d965bc43caf545dbaea4d7c011000d51f502e8cdfb7bfccc5d759a637ec49f813604d39491b71aca68ea82

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
833KB

MD5
c7f4a82454c0303ac4223af00201caf9

SHA1
8216b06d213f8032c7a762292e41d23d0cce7010

SHA256
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5

SHA512
a0e549f3728f28d14c4c2d333caededdb02125f5b9d965bc43caf545dbaea4d7c011000d51f502e8cdfb7bfccc5d759a637ec49f813604d39491b71aca68ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
80KB

MD5
2f68d9a174d6311777ecb30be1e925fe

SHA1
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127

SHA256
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072

SHA512
492ebdff060b655bba981edd8f7c448df1c9b18f3ffb8cb11d3db045148564511d06267db0d3947caedf7e3301da363004e7dbffd5f337e06813ed876153175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
80KB

MD5
2f68d9a174d6311777ecb30be1e925fe

SHA1
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127

SHA256
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072

SHA512
492ebdff060b655bba981edd8f7c448df1c9b18f3ffb8cb11d3db045148564511d06267db0d3947caedf7e3301da363004e7dbffd5f337e06813ed876153175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_server.exe

Filesize
80KB

MD5
2f68d9a174d6311777ecb30be1e925fe

SHA1
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127

SHA256
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072

SHA512
492ebdff060b655bba981edd8f7c448df1c9b18f3ffb8cb11d3db045148564511d06267db0d3947caedf7e3301da363004e7dbffd5f337e06813ed876153175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_server.exe

Filesize
80KB

MD5
2f68d9a174d6311777ecb30be1e925fe

SHA1
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127

SHA256
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072

SHA512
492ebdff060b655bba981edd8f7c448df1c9b18f3ffb8cb11d3db045148564511d06267db0d3947caedf7e3301da363004e7dbffd5f337e06813ed876153175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_server.exe

Filesize
80KB

MD5
2f68d9a174d6311777ecb30be1e925fe

SHA1
bfcdbc01917fcf1fc1f8fe53bd3eeca460ffb127

SHA256
f010ea87782acde2cc6d37ac6301fa5ca771af69fdaa62389164769cad78d072

SHA512
492ebdff060b655bba981edd8f7c448df1c9b18f3ffb8cb11d3db045148564511d06267db0d3947caedf7e3301da363004e7dbffd5f337e06813ed876153175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe

Filesize
833KB

MD5
c7f4a82454c0303ac4223af00201caf9

SHA1
8216b06d213f8032c7a762292e41d23d0cce7010

SHA256
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5

SHA512
a0e549f3728f28d14c4c2d333caededdb02125f5b9d965bc43caf545dbaea4d7c011000d51f502e8cdfb7bfccc5d759a637ec49f813604d39491b71aca68ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe

Filesize
833KB

MD5
c7f4a82454c0303ac4223af00201caf9

SHA1
8216b06d213f8032c7a762292e41d23d0cce7010

SHA256
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5

SHA512
a0e549f3728f28d14c4c2d333caededdb02125f5b9d965bc43caf545dbaea4d7c011000d51f502e8cdfb7bfccc5d759a637ec49f813604d39491b71aca68ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe

Filesize
833KB

MD5
c7f4a82454c0303ac4223af00201caf9

SHA1
8216b06d213f8032c7a762292e41d23d0cce7010

SHA256
5cfd6d75e11b37892f3ed79e2c50f898270937fa0e8571636cff2309acbb0bd5

SHA512
a0e549f3728f28d14c4c2d333caededdb02125f5b9d965bc43caf545dbaea4d7c011000d51f502e8cdfb7bfccc5d759a637ec49f813604d39491b71aca68ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe

Filesize
1.5MB

MD5
8d1065a19ae05ac36ed942caee92bb00

SHA1
873be2020b264277888f05bc93c65a0c68bfd519

SHA256
f956cc828fe2a4c27cf8e9713f72650ba02398b38682079939321829f9926dd9

SHA512
11ba3a788e73ab7274063c6fc876c233c5d9bc5243e669deea891bc7b04da356b209c889bdbcb9029381229ad19f6018dc3e16c7bc16d6130f1906c94a468f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe

Filesize
1.5MB

MD5
8d1065a19ae05ac36ed942caee92bb00

SHA1
873be2020b264277888f05bc93c65a0c68bfd519

SHA256
f956cc828fe2a4c27cf8e9713f72650ba02398b38682079939321829f9926dd9

SHA512
11ba3a788e73ab7274063c6fc876c233c5d9bc5243e669deea891bc7b04da356b209c889bdbcb9029381229ad19f6018dc3e16c7bc16d6130f1906c94a468f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ð¡Àõ×Ó¿ò¼Ü¶àQ.exe

Filesize
1.5MB

MD5
8d1065a19ae05ac36ed942caee92bb00

SHA1
873be2020b264277888f05bc93c65a0c68bfd519

SHA256
f956cc828fe2a4c27cf8e9713f72650ba02398b38682079939321829f9926dd9

SHA512
11ba3a788e73ab7274063c6fc876c233c5d9bc5243e669deea891bc7b04da356b209c889bdbcb9029381229ad19f6018dc3e16c7bc16d6130f1906c94a468f29

Download Submit
memory/988-333-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/988-317-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/988-309-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/988-301-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2204-201-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2204-265-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2732-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2732-156-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2804-157-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2804-307-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/3652-305-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3652-306-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4108-264-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4108-303-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/4108-308-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4108-261-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4108-310-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/4108-252-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4108-250-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download