gh0strat | e2753d1f94c725eb27f84f357dacff3798f150f7ad9dd79670e69ad47a9f97ca

General

Target

7513e57c331cd7120208f3a584eea311.exe
Size

69KB
MD5

7513e57c331cd7120208f3a584eea311
SHA1

46e98bd37f3f5671515d496d683d7be1649fbf9d
SHA256

e2753d1f94c725eb27f84f357dacff3798f150f7ad9dd79670e69ad47a9f97ca
SHA512

7947a8614d9d7f5c1e7b3469c1127f397fcc7dc325952fd53f829e39869e1908b0900793a1380043fb2a3b4d3576f33ce2ad67fde18c4d3f3ace9ed6cf64a572
SSDEEP

1536:8cTRKSxseQFLQw+rn7TZOdzcbHNO8GSno1dvyia1i7atcAZ:8cTFxseQFYnjbuSo1pyTiGS0

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4792-8-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/2728-15-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/2728-16-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/2728-28-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	7513e57c331cd7120208f3a584eea311.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityuk.dll"	7513e57c331cd7120208f3a584eea311.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231fa-6.dat	acprotect
behavioral2/files/0x00070000000231fd-12.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2728	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
4792	7513e57c331cd7120208f3a584eea311.exe
2728	svchost.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\U3RU3TKH.htm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DYWXWIS6.htm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityuk.dll	7513e57c331cd7120208f3a584eea311.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	svchost.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4792	7513e57c331cd7120208f3a584eea311.exe
4792	7513e57c331cd7120208f3a584eea311.exe
4792	7513e57c331cd7120208f3a584eea311.exe
4792	7513e57c331cd7120208f3a584eea311.exe
4792	7513e57c331cd7120208f3a584eea311.exe
4792	7513e57c331cd7120208f3a584eea311.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

C:\Users\Admin\AppData\Local\Temp\7513e57c331cd7120208f3a584eea311.exe
"C:\Users\Admin\AppData\Local\Temp\7513e57c331cd7120208f3a584eea311.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240601796_ex.tmp

Filesize
57KB

MD5
f889f07b71b7c339839491fc49f9e9f0

SHA1
2c54bd581d6dc509fb60c2f3b31bfcd776fe309a

SHA256
ae49e4a7459572991ab67619b10fa22fdec87ffb45f4ea085b5347f01067941b

SHA512
d09cba4f45a1ea22b17b563fe9ff2b399b2af2402ef80442b4def5100af783eef10bf528601d33a833d2a884e9d42123b465c9ceef9389467f5ba9cdcaf7121f

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityuk.dll

Filesize
57KB

MD5
f3c6c6e5b5a3312d13d8f16a894b474a

SHA1
942a009209059ba0f0c8970d9539fdfaf26e912d

SHA256
24743d8ec5fa6df017d833b9f3bfdef8f1aa238532dcd2e90e424dc71c4dc8a9

SHA512
0caa26aad41cc965a79b32f8697ae0f5ea6c2a9e4678e9a29937605faaa4e6cb6d9a0dd246206bae16e389a35ce498cab4ecd15057659042f48edf671b8bddd2

Download Submit
memory/2728-15-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2728-16-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2728-28-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/4792-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4792-7-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/4792-8-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/4792-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads