gh0strat | c6e004ce8f1b8dfb399ec68a233e1a3a81cf64c881e47f81ec31463314d1c077

Analysis

max time kernel
120s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53397094dbd937ef05b0e134a282c265.exe
Size

188KB
MD5

53397094dbd937ef05b0e134a282c265
SHA1

caab0abc9d1b57c5c0555987c7baf282f34f63c5
SHA256

c6e004ce8f1b8dfb399ec68a233e1a3a81cf64c881e47f81ec31463314d1c077
SHA512

fb912f41a7151e5c65cbbd4e82c4fa163e527da3e4d7f510a0cc4b11ca70755af4918ae51ee2374d0d53896437f3aa331765446a33c90c099b898b51fa192866
SSDEEP

3072:tCSdgcPm7U2kTuP91jcg4elu5tm+r84o17EFXwy0vwanksgcI:tfdnPmETuP9eg/ui684NFv0S

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0033000000014aca-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2680	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nivrxdokgn	svchost.exe
File created	C:\Windows\SysWOW64\nrjkggqiti	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\NETMEE~1\icles.lib	53397094dbd937ef05b0e134a282c265.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2680	svchost.exe
2680	svchost.exe
2680	svchost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2420	53397094dbd937ef05b0e134a282c265.exe
Token: SeRestorePrivilege	2420	53397094dbd937ef05b0e134a282c265.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53397094dbd937ef05b0e134a282c265.exe
"C:\Users\Admin\AppData\Local\Temp\53397094dbd937ef05b0e134a282c265.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\progra~2\netmee~1\icles.lib

Filesize
436KB

MD5
4db7e56431468070a564f430de91b444

SHA1
872bb43e511cc107c4f2c49d08940f7a33ce6095

SHA256
7ebc1d94c120228682e0edf6423cd45e65fc2fd8a3808b93ff34ec98f9c12bec

SHA512
416d441da69cf1b46f563dbd812669f169dd8d6ca55a32462892e1e0466f221a2834176893e6f2eeec6fb2bd6822cc0be72a9ac51639c461742fbaae8b13681d

Download Submit