gh0strat | 7860a718a39fad223a9a3400368d910473a2ff5ab8866379ee799edd4d9c857e

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a224ff2ae0e1d6a87e72d9e35b2f4038.exe
Size

229KB
MD5

a224ff2ae0e1d6a87e72d9e35b2f4038
SHA1

debe7c7200d2f2cc0aad4cab5a8cf4d2137de852
SHA256

7860a718a39fad223a9a3400368d910473a2ff5ab8866379ee799edd4d9c857e
SHA512

be987f10b90eb6de7b786100512ac523603ca76c19c4c56949a5c68f52bef0c33cb6d3511f8fd92369240dce152218615a07d3e8df49ceae6fac6de49ed689fc
SSDEEP

6144:slvT6WXx6EpjyL/HB3DtXbeQ6lczhCyJ1:Ob6e/tKJt16eYyJ1

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002311d-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\COKE.DLL"	a224ff2ae0e1d6a87e72d9e35b2f4038.exe

Deletes itself 1 IoCs

pid	Process
928	SVCHOST.EXE

Loads dropped DLL 1 IoCs

pid	Process
928	SVCHOST.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SVCHOST.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cbdb394.del	a224ff2ae0e1d6a87e72d9e35b2f4038.exe
File opened for modification	C:\Windows\SysWOW64\COKE.DLL	a224ff2ae0e1d6a87e72d9e35b2f4038.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\sYSTEM\cENTRALpROCEssor\0	SVCHOST.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SVCHOST.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	SVCHOST.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	SVCHOST.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SVCHOST.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	a224ff2ae0e1d6a87e72d9e35b2f4038.exe
3020	a224ff2ae0e1d6a87e72d9e35b2f4038.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	928	SVCHOST.EXE
Token: SeSecurityPrivilege	928	SVCHOST.EXE
Token: SeSecurityPrivilege	928	SVCHOST.EXE
Token: SeBackupPrivilege	928	SVCHOST.EXE
Token: SeSecurityPrivilege	928	SVCHOST.EXE
Token: SeBackupPrivilege	928	SVCHOST.EXE
Token: SeSecurityPrivilege	928	SVCHOST.EXE

C:\Users\Admin\AppData\Local\Temp\a224ff2ae0e1d6a87e72d9e35b2f4038.exe
"C:\Users\Admin\AppData\Local\Temp\a224ff2ae0e1d6a87e72d9e35b2f4038.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS -s fastuserswitchingcompatibility
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\coke.dll

Filesize
152KB

MD5
0ac63c7f19251bb4981db2e78a0e0680

SHA1
edf0a4c532b1a132de116576a19676701bccd8d7

SHA256
fdfc0d33de99dde9680e4797b506ae557ca5904313665e2c684361ed6c3f78ce

SHA512
c4136367341869a200ffdea566d16244e28f050f7a5dcae3bd405b22e9398e19468aa6d2a535ebec8df55caea2769b4aeb917af819ecb1ccbc8395b7933fdc7d

Download Submit