gh0strat | 9d78d909a86ef314f05f3f86a4f7d77aea84e27e2d46fbce239d43e40c727c7d

Analysis

max time kernel
143s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dd3c0d07e21e6ac695b2182f86c2535.exe
Size

382KB
MD5

7dd3c0d07e21e6ac695b2182f86c2535
SHA1

0cb17b579628c702dba83a76dd5b5d812bfa1836
SHA256

9d78d909a86ef314f05f3f86a4f7d77aea84e27e2d46fbce239d43e40c727c7d
SHA512

b39bd01bbae9722e0c096c1494fa191c2a36afc6dcfacc68bc342b30d4c40b6248d4b0c018c3054494c61f38a18097b4d2f325500a30396873d0c82287c1b20e
SSDEEP

6144:/V8HFsnY+jjpVCSqmVZ6XnniYvBZq2kXXl6BbFxueTwkkBn4aUJFBie9/28NNjaP:/VVY+jlddZSn5u2phxJtD8e9/20pMFJ

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3552-75-0x0000000000400000-0x00000000004D4000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	7dd3c0d07e21e6ac695b2182f86c2535.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	7dd3c0d07e21e6ac695b2182f86c2535.exe

Deletes itself 1 IoCs

pid	Process
1088	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3552	7dd3c0d07e21e6ac695b2182f86c2535.exe
1088	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	7dd3c0d07e21e6ac695b2182f86c2535.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

C:\Users\Admin\AppData\Local\Temp\7dd3c0d07e21e6ac695b2182f86c2535.exe
"C:\Users\Admin\AppData\Local\Temp\7dd3c0d07e21e6ac695b2182f86c2535.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:3552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3552-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3552-1-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3552-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3552-21-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-66-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3552-65-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3552-64-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3552-76-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download
memory/3552-75-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3552-63-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3552-62-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3552-61-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-60-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-59-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-58-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-57-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-56-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-55-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3552-54-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-53-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-52-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-51-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-50-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-49-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-48-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3552-47-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-46-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-45-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-44-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-43-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-42-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-41-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-40-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-39-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-38-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-37-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-36-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-35-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-34-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-33-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-32-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-31-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-30-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-29-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-28-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-25-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-27-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-23-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-24-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-22-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-20-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-18-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3552-16-0x0000000003490000-0x0000000003492000-memory.dmp

Filesize
8KB

Download
memory/3552-15-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3552-14-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3552-13-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3552-12-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3552-11-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3552-10-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3552-6-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3552-5-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3552-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3552-2-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads