gh0strat | 5a29690b42487507b0450556c55276c446da7ca41c72861e57b5685869d24cd6

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 03:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ML7R9U7.exe
Size

359KB
MD5

a37556c8cfd7eaba495a318a0de59466
SHA1

07707cba7364e130f35eddbcab7702db44e7e671
SHA256

08e9d8d7b108683314e5fad199d52b868713807697704f08ddc4b825553cca20
SHA512

be38b134da1675a51585787433b8ec98eee5940db103eac5e2e851c65e6050f45b943aa8fe76393f593f7de1a4de0a636327c3f78c3d7a056308fa3a54c08d23
SSDEEP

6144:2ZpuZnVB3/nPwArobrJEoXG81WAheOBO77NsHJDi1tPYP6lLaYpPqQ5aSAwz07Au:2ZM13/nPw6ovJE2G8IAheOA7JsH1KtPm

Score

10^/10

gh0strat evasion rat trojan

Malware Config

Extracted

Family

gh0strat

27.124.10.162

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5112-1-0x00000000017F0000-0x000000000181D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ML7R9U7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ML7R9U7.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3960	regedit.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe
5112	ML7R9U7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3556	5112	ML7R9U7.exe	88
PID 5112 wrote to memory of 3556	5112	ML7R9U7.exe	88
PID 5112 wrote to memory of 3556	5112	ML7R9U7.exe	88
PID 3556 wrote to memory of 3960	3556	cmd.exe	89
PID 3556 wrote to memory of 3960	3556	cmd.exe	89
PID 3556 wrote to memory of 3960	3556	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\ML7R9U7.exe
"C:\Users\Admin\AppData\Local\Temp\ML7R9U7.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /C regedit /s Uac.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s Uac.reg
    3⤵
    - UAC bypass
    - Runs .reg file with regedit
    PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uac.reg

Filesize
245B

MD5
3259410b95978a44d4a95a1d1815cc6d

SHA1
26d3928a81f9d754c7991673c6b856652ce38f98

SHA256
182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5

SHA512
44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b

Download Submit
memory/5112-0-0x0000000000910000-0x00000000009F0000-memory.dmp

Filesize
896KB

Download
memory/5112-1-0x00000000017F0000-0x000000000181D000-memory.dmp

Filesize
180KB

Download
memory/5112-12-0x0000000062E80000-0x0000000062E9D000-memory.dmp

Filesize
116KB

Download
memory/5112-13-0x0000000060E40000-0x0000000060E5D000-memory.dmp

Filesize
116KB

Download
memory/5112-14-0x0000000000910000-0x00000000009F0000-memory.dmp

Filesize
896KB

Download