gh0strat | a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c

General

Target

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
Size

24KB
MD5

fa4d9fbdc732b960d6574cd3c6b3ad8f
SHA1

54a593350ab7da76b95c2a6c09128ae68aab934b
SHA256

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c
SHA512

cf598aab0a466ecf029a86df122bfda575895d9b2252d79cce8a951f7a2aded9a656c9fc7d17972017a5b973d1d4b861f54ed843ea45e134dec4bcbf57ad1fe3
SSDEEP

192:lf/82V/SYpHNn+e+eLPvVBplvV/gUoynRdsqonH6:1U2JSYpHNnJpFBx/17dtonH6

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1500-97-0x0000000010000000-0x000000001017B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

LiveUpdate.exeLiveUpdate.exe

pid process

1752 LiveUpdate.exe
904 LiveUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

pid process

1144 a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

pid	process
1752	LiveUpdate.exe
904	LiveUpdate.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Thunder\LiveUpdate.exe	upx
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral1/memory/1752-75-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1752-76-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1752-81-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1752-82-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1752-95-0x0000000000400000-0x000000000053F000-memory.dmp	upx
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral1/memory/904-114-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1752-115-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/904-116-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/904-121-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

LiveUpdate.exeLiveUpdate.exe

description	pid	process	target process
PID 1752 set thread context of 1500	1752	LiveUpdate.exe	cmd.exe
PID 904 set thread context of 1724	904	LiveUpdate.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

pid	process
1144	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
1144	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exeLiveUpdate.execmd.exeLiveUpdate.exe

pid	process
1144	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
1144	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
1752	LiveUpdate.exe
1752	LiveUpdate.exe
1500	cmd.exe
904	LiveUpdate.exe
904	LiveUpdate.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

taskeng.exeLiveUpdate.exeLiveUpdate.exe

description	pid	process	target process
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 1752	1824	taskeng.exe	LiveUpdate.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1752 wrote to memory of 1500	1752	LiveUpdate.exe	cmd.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 1824 wrote to memory of 904	1824	taskeng.exe	LiveUpdate.exe
PID 904 wrote to memory of 1724	904	LiveUpdate.exe	cmd.exe
PID 904 wrote to memory of 1724	904	LiveUpdate.exe	cmd.exe
PID 904 wrote to memory of 1724	904	LiveUpdate.exe	cmd.exe
PID 904 wrote to memory of 1724	904	LiveUpdate.exe	cmd.exe
PID 904 wrote to memory of 1724	904	LiveUpdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
"C:\Users\Admin\AppData\Local\Temp\a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\system32\taskeng.exe
taskeng.exe {B78D4FA5-8CE6-4B83-966F-F03AE105F761} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1500

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.txt
Filesize
1.1MB

MD5
99cb9755677981518e59ba049e4b2e5a

SHA1
35a7899576f5bb2f0a99ea69e03acd4f9b63f831

SHA256
c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba

SHA512
12ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74

Download Submit
C:\ProgramData\SqlVersion.dll
Filesize
932KB

MD5
08f1b7dc0f72ef52d7e190496e24d5b7

SHA1
57f00b052822a4a4b3be57d0d04d64c06e01043a

SHA256
304a6a5db26763f70092e7d953afa9665be541c5a993c641b2cc3e976e3c1e9b

SHA512
450b2cfd9b766fbaec82449154bc78b1a89137f85c7613e5ea5f74ee6d9f93589e1e84334b034600dff49c7758045cb07c587d18560705e6e700e0bcbd523b2a

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat
Filesize
36KB

MD5
f033471932cc558c5f7a25261967a97b

SHA1
8186d2f9ae0ea74f2214da3ad0a932e609f25052

SHA256
9ab9d6ed62410c38f7045e5fedb39457db70cbb47cf4d1293fa1ef7a24fea41e

SHA512
406665d8f77c810e9a19676416249b7159208935b541c9f4f21bec91f74093fa9b4d6acfe511c07d9496064e9e951259b8c98e163ce7c69eff492e307b3423ac

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_1\_TUProjDT.dat
Filesize
4B

MD5
bd74984124813a14a4b6794b4832c19d

SHA1
502ac30df476653c9c2189f97ade61919d132909

SHA256
c5d16bf49dfcd5b00c03ee20672285b953eb064de2927cce8628a42899ba3b91

SHA512
a9b757b43ac895e520087b28fc8fa7797b4dd29bd848b1159aed41cf065b10245e4ce055200e5cf3231f1558ed104735937de675aaacf7490dbc915d4d3d96eb

Download Submit
\ProgramData\SqlVersion.dll
Filesize
932KB

MD5
08f1b7dc0f72ef52d7e190496e24d5b7

SHA1
57f00b052822a4a4b3be57d0d04d64c06e01043a

SHA256
304a6a5db26763f70092e7d953afa9665be541c5a993c641b2cc3e976e3c1e9b

SHA512
450b2cfd9b766fbaec82449154bc78b1a89137f85c7613e5ea5f74ee6d9f93589e1e84334b034600dff49c7758045cb07c587d18560705e6e700e0bcbd523b2a

Download Submit
memory/904-121-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/904-116-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/904-114-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1500-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-97-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download
memory/1500-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1724-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-95-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1752-83-0x0000000002630000-0x0000000002639000-memory.dmp

Filesize
36KB

Download
memory/1752-82-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1752-81-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1752-115-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1752-76-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1752-94-0x0000000002630000-0x0000000002639000-memory.dmp

Filesize
36KB

Download
memory/1752-75-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads