gh0strat | 24c9a7115471a7ddc4361c6f3752e75a2318a6ffa4373eeab9e8a60d720268d0

General

Target

ӷƱ (03).exe
Size

36KB
MD5

bf0a28efc4c32b857332250dbb1d132a
SHA1

61039a5ec49b283775a232cb9c23ead25ca4d8d9
SHA256

0525947d2063f56a8288dd3d54210fc49a3a615c338c4bd7260731649f9b7e5b
SHA512

8ba699251c9a037d723b89b6edf57b1da0982e860983be4f340bd789214aff6ee98637999864641b281f9570ba3d60362c74c2ba151a1f3deb08cc9f84a7f6f0
SSDEEP

192:tXU60V/WmoI+af4R9JNRcJLef3Rmtj0IRmtSgUoynSYgH9L1nnCQBRmlFQ93M3pc:tk60V/wI4PJhGYSGS1EtdLVC+w7QSc

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4756-170-0x0000000010000000-0x000000001017B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

27 4756 cmd.exe

flow	pid	process
27	4756	cmd.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\SqlVersion.dll	acprotect
C:\ProgramData\SqlVersion.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

LiveUpdate.exe

pid process

3696 LiveUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

ӷƱ (03).exe

pid process

4360 ӷƱ (03).exe

pid	process
3696	LiveUpdate.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\SqlVersion.dll	upx
C:\ProgramData\SqlVersion.dll	upx
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral2/memory/4360-158-0x00000000738E0000-0x00000000739D0000-memory.dmp	upx
behavioral2/memory/3696-163-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3696-189-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3696-198-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LiveUpdate.exe

description pid process target process

PID 3696 set thread context of 4756 3696 LiveUpdate.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3696 set thread context of 4756	3696	LiveUpdate.exe	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ӷƱ (03).execmd.exe

pid	process
4360	ӷƱ (03).exe
4360	ӷƱ (03).exe
4360	ӷƱ (03).exe
4360	ӷƱ (03).exe
4360	ӷƱ (03).exe
4360	ӷƱ (03).exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe
4756	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cmd.exe

description	pid	process
Token: 33	4756	cmd.exe
Token: SeIncBasePriorityPrivilege	4756	cmd.exe
Token: 33	4756	cmd.exe
Token: SeIncBasePriorityPrivilege	4756	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ӷƱ (03).exeLiveUpdate.exe

pid process

4360 ӷƱ (03).exe
4360 ӷƱ (03).exe
3696 LiveUpdate.exe
3696 LiveUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LiveUpdate.exe

description	pid	process	target process
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe
PID 3696 wrote to memory of 4756	3696	LiveUpdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ӷƱ (03).exe
"C:\Users\Admin\AppData\Local\Temp\ӷƱ (03).exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.txt
Filesize
1.1MB

MD5
99cb9755677981518e59ba049e4b2e5a

SHA1
35a7899576f5bb2f0a99ea69e03acd4f9b63f831

SHA256
c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba

SHA512
12ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74

Download Submit
C:\ProgramData\SqlVersion.dll
Filesize
173KB

MD5
193abd962e6d777ca12b3d238ab986b3

SHA1
0e9975cd70583ddb0a56b06d0cfaf2b3d87b772f

SHA256
aeb10015a45bd06af3cafd82bd85ed3098a538ccbbb10a798145b677b45f7eda

SHA512
077a738f09d3f8497630c4fa722dd7cae405cc47f1b1338cdef0d65c5f1e4f79062e30ecbcb79813280037f764f006037dbcb51b688e678de3dd96db590e24b0

Download Submit
C:\ProgramData\SqlVersion.dll
Filesize
173KB

MD5
193abd962e6d777ca12b3d238ab986b3

SHA1
0e9975cd70583ddb0a56b06d0cfaf2b3d87b772f

SHA256
aeb10015a45bd06af3cafd82bd85ed3098a538ccbbb10a798145b677b45f7eda

SHA512
077a738f09d3f8497630c4fa722dd7cae405cc47f1b1338cdef0d65c5f1e4f79062e30ecbcb79813280037f764f006037dbcb51b688e678de3dd96db590e24b0

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat
Filesize
29KB

MD5
0548ecfa93438e3126129b52c8aec910

SHA1
2bc74dc6ac92a8b92da0b90a92225304d1addd0b

SHA256
0951a0e07f3bf8fd0b2bc2bb84f2f9cb462b9e348eebc98e2b6de74c58eb13f8

SHA512
2fc3843c17ebfac7a420e7c75a68c6add88e53e137a9fdc3cc43dc0e1fb9dc5427890b7f1779853411e8c3d35fc6c0cfe29959220d11692ef69435905c229a56

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\setting.ini
Filesize
14B

MD5
88cc3e3a35ac7a57a2d9b2632c7fc5f8

SHA1
67a04a547a9add726932e00447e1c6939f1639fb

SHA256
18739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43

SHA512
1c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038

Download Submit
memory/3696-164-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

Filesize
28KB

Download
memory/3696-166-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

Filesize
28KB

Download
memory/3696-163-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3696-189-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3696-198-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4360-158-0x00000000738E0000-0x00000000739D0000-memory.dmp

Filesize
960KB

Download
memory/4756-165-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4756-168-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4756-170-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download
memory/4756-187-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads