gh0strat | 7f90d34e5154e6b3be192629776dd556785799a62b74ec816bfd2d0caf82a06b

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d355265faef465587580732d8401886.exe
Size

148KB
MD5

7d355265faef465587580732d8401886
SHA1

0c64fa523ebf294cbe7e43267dbc7e0f9534b15a
SHA256

7f90d34e5154e6b3be192629776dd556785799a62b74ec816bfd2d0caf82a06b
SHA512

5807a293860b85a1faad2c51f9b21366e42f582d2adbb49ef4900d9090eb70625c8001c21aa9881b2ed4549670acf96b4fadbaf9816e3e7ce29b79ec8d2a472e
SSDEEP

3072:lhT2137DYmJRJKph0QinoLKY6rlmkrylwdxMnoRvsiKm5NHVMSGkN:lhRqJkLLgrl8ltnbi5N1MSG6

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a83-7.dat	family_gh0strat
behavioral1/memory/2676-9-0x0000000000400000-0x0000000000436000-memory.dmp	family_gh0strat
behavioral1/memory/2676-15-0x0000000000400000-0x0000000000436000-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000016cf2-12.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F88B9F-B9F7-4678-A33C-807A8C4DE95A}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F88B9F-B9F7-4678-A33C-807A8C4DE95A}\stubpath = "C:\\Windows\\system32\\innfvgrkz.exe"	windows.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	windows.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\innfvgrkz.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\innfvgrkz.exe_lang.ini	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	windows.exe
2676	windows.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe
2676	windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	windows.exe
Token: SeDebugPrivilege	2676	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 1780 wrote to memory of 2676	1780	7d355265faef465587580732d8401886.exe	29
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 388	2676	windows.exe	5
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 400	2676	windows.exe	4
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 436	2676	windows.exe	3
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 480	2676	windows.exe	2
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 496	2676	windows.exe	1
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 504	2676	windows.exe	22
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 604	2676	windows.exe	8
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 680	2676	windows.exe	21
PID 2676 wrote to memory of 744	2676	windows.exe	9

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:272
- - C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1084
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2152

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\7d355265faef465587580732d8401886.exe
  "C:\Users\Admin\AppData\Local\Temp\7d355265faef465587580732d8401886.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\windows.exe
    "C:\windows.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\innfvgrkz.exe

Filesize
105KB

MD5
6405f96ed58ef1571f16d3c843e9db4b

SHA1
8cdbb88da5997469313fa916293e2165de22e09f

SHA256
c96871712ce455d34ca3ea92e8293a41cfe831ca08115514a16bec9bf578d16f

SHA512
3a9ad70709ff814bd5b810e062de6b92a06e263277090b1dcfb32cfa347c6fa253bb2da98d12286434d563ca1dff0563815d7877b8ecde6136e2afa21ff4ce37

Download Submit
C:\windows.exe

Filesize
201KB

MD5
02d4c9a92b4d17cec860b4d6089d7453

SHA1
1f43da3736724fbc13c54120369484f7dbe59290

SHA256
afc33ff93923983c4d4d70281cc840b7de3d99e070a280f5376082b529eb211a

SHA512
de931cca11ed7181f395258eb3bef65aae301a97357311eceea331ea4d23970519bd812b6eca85718a0779119eac5b429193fec2a47951bcb02210b08339c34e

Download Submit
C:\¤±¤¤¤·.jpg

Filesize
5KB

MD5
e137ffb2fa274f01ef796d149e990c49

SHA1
9d87efa338fc6f9130de0180e66040761fa90de8

SHA256
4cd705e0bba9c3867f529e06a01154c1d29963fde157ddce90e6fe7b39122c4b

SHA512
49ab6fccfd3381797dd37517368e1c2d0aabbe9a636476d7e4e4d862bb61784d52111ed2b1f10ccdef88d7fb7f085773db1dc847938ffa3ef1cb949e025c2a2b

Download Submit
memory/1780-2-0x0000000001F80000-0x0000000001F82000-memory.dmp

Filesize
8KB

Download
memory/1780-8-0x0000000000570000-0x00000000005A6000-memory.dmp

Filesize
216KB

Download
memory/2464-3-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2464-16-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/2464-18-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/2676-11-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2676-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download