gh0strat | 2c6f5bffa8066d7d486735adb6ccc78654f487edd5ebeba5e043eb0db3cf6ae4

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28-08-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
Size

524KB
MD5

20320bd328c8a9ab7ebacd0b7827c742
SHA1

8a66676b0a4926a9525630f6b4ec7a106db3e27f
SHA256

46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a
SHA512

151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646
SSDEEP

12288:KQb8e55GXwhEIGmcuRrv0CbU4j0ARGohKRjP7Kt+V7UB1ZSQCVmzdditQxL5NLlg:L5pKpOd/GTV5nJ

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2776-26-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2776-29-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2776-35-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1932	f7676e5.exe
2776	WindowsUpdate.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
1932	f7676e5.exe
2776	WindowsUpdate.exe
2776	WindowsUpdate.exe
2776	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXD9AED7F2 = "C:\\Windows\\XXXXXXD9AED7F2\\svchsot.exe"	WindowsUpdate.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	WindowsUpdate.exe
File opened (read-only)	\??\D:	WindowsUpdate.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\D9AED7F2	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\D9AED7F2	WindowsUpdate.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXXD9AED7F2\svchsot.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\XXXXXXD9AED7F2\svchsot.exe	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
868	notepad.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2776	WindowsUpdate.exe
2776	WindowsUpdate.exe
2776	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
1932	f7676e5.exe
1932	f7676e5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1932	2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe	28
PID 2068 wrote to memory of 1932	2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe	28
PID 2068 wrote to memory of 1932	2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe	28
PID 2068 wrote to memory of 1932	2068	46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe	28
PID 1932 wrote to memory of 868	1932	f7676e5.exe	29
PID 1932 wrote to memory of 868	1932	f7676e5.exe	29
PID 1932 wrote to memory of 868	1932	f7676e5.exe	29
PID 1932 wrote to memory of 868	1932	f7676e5.exe	29
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30
PID 1932 wrote to memory of 2776	1932	f7676e5.exe	30

C:\Users\Admin\AppData\Local\Temp\46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe
"C:\Users\Admin\AppData\Local\Temp\46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - \??\c:\windows\SysWOW64\notepad.exe
    c:\windows\system32\notepad.exe "C:\Users\Admin\AppData\Local\Temp\46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.txt"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:868
- - C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.txt

Filesize
286KB

MD5
4adabc4d645b74a87290b1d7d98de89b

SHA1
ec1d2249bcf87065c3e48e40da1abb281336aeac

SHA256
3677725d74284483f4c7a36580b890897821ff8eb91a472dab82fdf6cc9eb4cb

SHA512
040b5cf460402d3809693669c2d71f33d071c0a084b2a4a5f31d49df39411f9c7e190769ccb46edfa8e5f7289d4ed7f2ffdca4a8d173b0f391c71da348fbce7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe

Filesize
524KB

MD5
20320bd328c8a9ab7ebacd0b7827c742

SHA1
8a66676b0a4926a9525630f6b4ec7a106db3e27f

SHA256
46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a

SHA512
151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe

Filesize
524KB

MD5
20320bd328c8a9ab7ebacd0b7827c742

SHA1
8a66676b0a4926a9525630f6b4ec7a106db3e27f

SHA256
46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a

SHA512
151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
192KB

MD5
0122ed05571e241a00c96f7f4fb10b8a

SHA1
c7ca58693d39f4864336acf4dd1808fc8c6eb47c

SHA256
42b3bdeb900281dcb17c3f0bc91c8c9ff914b134b5bec6cd6e922c584f338bb0

SHA512
3fbf8b03606af8292d24c529415b59463ce4fdb3607a3e8683360ecbff45033a72dfc443cc0663bf8a74e8d43a3e24245edb1d995d312fc756bf4b877ef5f89c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe

Filesize
524KB

MD5
20320bd328c8a9ab7ebacd0b7827c742

SHA1
8a66676b0a4926a9525630f6b4ec7a106db3e27f

SHA256
46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a

SHA512
151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\f7676e5.exe

Filesize
524KB

MD5
20320bd328c8a9ab7ebacd0b7827c742

SHA1
8a66676b0a4926a9525630f6b4ec7a106db3e27f

SHA256
46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a

SHA512
151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646

Download Submit
memory/2776-23-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2776-25-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2776-26-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2776-29-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2776-35-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download