gh0strat | 17eb7cf69711747cc912e9685f6c1e79846f030bd5fb4e854b6e3e9e715ab0de

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

36KB
MD5

df8410184a39df8fe0bb38682632a28e
SHA1

566daf16f0ae29f27458e627232549f2d3b8e11d
SHA256

17eb7cf69711747cc912e9685f6c1e79846f030bd5fb4e854b6e3e9e715ab0de
SHA512

75c6a1187ac692d00331bf1205cdca31e0e06a7e5d50deea48967c7540de99bc5843d230fca485c37ce6c10e552a6625238a6f1bd8b5d153fd3850f329633774
SSDEEP

192:Y/l8yP7/73boE8jPJNJN1Rd/GO8LdubfXbLphoynfgH9teiDlFQ93M3pkR:8TLcPHJBIOvfZhWdteiD7QSc

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-113-0x0000000010000000-0x000000001017B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

6 1944 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

LiveUpdate.exeLiveUpdate.exe

pid process

1216 LiveUpdate.exe
1484 LiveUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

test.exe

pid process

1308 test.exe

flow	pid	process
6	1944	cmd.exe

pid	process
1216	LiveUpdate.exe
1484	LiveUpdate.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Thunder\LiveUpdate.exe	upx
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral1/memory/1216-79-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1216-80-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1216-85-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1216-86-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1216-88-0x0000000000400000-0x000000000053F000-memory.dmp	upx
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral1/memory/1484-90-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1216-94-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1484-95-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1484-110-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LiveUpdate.exe

description pid process target process

PID 1216 set thread context of 1944 1216 LiveUpdate.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1216 set thread context of 1944	1216	LiveUpdate.exe	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	cmd.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

test.execmd.exe

pid	process
1308	test.exe
1308	test.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: 33 1944 cmd.exe
Token: SeIncBasePriorityPrivilege 1944 cmd.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

test.exeLiveUpdate.exeLiveUpdate.execmd.exe

pid process

1308 test.exe
1216 LiveUpdate.exe
1216 LiveUpdate.exe
1484 LiveUpdate.exe
1484 LiveUpdate.exe
1944 cmd.exe

description	pid	process
Token: 33	1944	cmd.exe
Token: SeIncBasePriorityPrivilege	1944	cmd.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

taskeng.exeLiveUpdate.exeLiveUpdate.exe

description	pid	process	target process
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1216	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 924 wrote to memory of 1484	924	taskeng.exe	LiveUpdate.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1484 wrote to memory of 1032	1484	LiveUpdate.exe	cmd.exe
PID 1484 wrote to memory of 1032	1484	LiveUpdate.exe	cmd.exe
PID 1484 wrote to memory of 1032	1484	LiveUpdate.exe	cmd.exe
PID 1484 wrote to memory of 1032	1484	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe
PID 1216 wrote to memory of 1944	1216	LiveUpdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\system32\taskeng.exe
taskeng.exe {73D5DF3A-CE4E-4BE6-8D9E-2EC80FE4D335} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.txt
Filesize
1.1MB

MD5
99cb9755677981518e59ba049e4b2e5a

SHA1
35a7899576f5bb2f0a99ea69e03acd4f9b63f831

SHA256
c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba

SHA512
12ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74

Download Submit
C:\ProgramData\SqlVersion.dll
Filesize
95KB

MD5
87bf7ce55dba3a9339302fadb215c0a5

SHA1
ce5905a284d0dc0984220fa0012107c7417fc491

SHA256
28d55c24d4aa08078bc8d3efcc656c7313fb62f883745e1bce8c3e25f5b59483

SHA512
29e2d7522dca4594d3753a235d34a72ec2c074747cc4e36a79112386fd417d3926c1bb40dbf04d7a9861139136c482cccff061d789081a102bbfa20efba273ed

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat
Filesize
36KB

MD5
f033471932cc558c5f7a25261967a97b

SHA1
8186d2f9ae0ea74f2214da3ad0a932e609f25052

SHA256
9ab9d6ed62410c38f7045e5fedb39457db70cbb47cf4d1293fa1ef7a24fea41e

SHA512
406665d8f77c810e9a19676416249b7159208935b541c9f4f21bec91f74093fa9b4d6acfe511c07d9496064e9e951259b8c98e163ce7c69eff492e307b3423ac

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\setting.ini
Filesize
14B

MD5
88cc3e3a35ac7a57a2d9b2632c7fc5f8

SHA1
67a04a547a9add726932e00447e1c6939f1639fb

SHA256
18739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43

SHA512
1c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_1\_TUProjDT.dat
Filesize
4B

MD5
bd74984124813a14a4b6794b4832c19d

SHA1
502ac30df476653c9c2189f97ade61919d132909

SHA256
c5d16bf49dfcd5b00c03ee20672285b953eb064de2927cce8628a42899ba3b91

SHA512
a9b757b43ac895e520087b28fc8fa7797b4dd29bd848b1159aed41cf065b10245e4ce055200e5cf3231f1558ed104735937de675aaacf7490dbc915d4d3d96eb

Download Submit
\ProgramData\SqlVersion.dll
Filesize
95KB

MD5
87bf7ce55dba3a9339302fadb215c0a5

SHA1
ce5905a284d0dc0984220fa0012107c7417fc491

SHA256
28d55c24d4aa08078bc8d3efcc656c7313fb62f883745e1bce8c3e25f5b59483

SHA512
29e2d7522dca4594d3753a235d34a72ec2c074747cc4e36a79112386fd417d3926c1bb40dbf04d7a9861139136c482cccff061d789081a102bbfa20efba273ed

Download Submit
memory/1216-94-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-80-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-87-0x0000000002070000-0x0000000002079000-memory.dmp

Filesize
36KB

Download
memory/1216-79-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-86-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-85-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-88-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-108-0x0000000002070000-0x0000000002079000-memory.dmp

Filesize
36KB

Download
memory/1484-95-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1484-110-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1484-90-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1944-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-102-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-103-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-104-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-97-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-109-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-113-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download