gh0strat | 677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f

Resubmissions

21-05-2024 08:19

240521-j7zqwaed2x 10

Analysis

max time kernel
101s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
Size

112KB
MD5

27babb8977ca7f6a50282f43c3329633
SHA1

7c91256b5b67bab5fb538f4c3890300d0c066fa5
SHA256

677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f
SHA512

1e6fd61ca240a0be428e602c8e7d451a5446a83e03d2a15e418ee7a81ee2a3dad1d6d390e97983bf110d015b01698664590c63f1e66b658ac7d2e688024482a9
SSDEEP

1536:vqEA70HzLJksPEOajozLElnqiO2ZdJ/tHi:vXTLJkQ7zAV3xtC

Score

10^/10

gh0strat runningrat persistence rat

Malware Config

Extracted

Family

gh0strat

dgz.se1f.cc

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000022f51-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hypersvc\Parameters\ServiceDll = "C:\\Windows\\SysWOW64\\240600453.dll"	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe

Executes dropped EXE 1 IoCs

pid	Process
4720	hypersvc.exe

Loads dropped DLL 3 IoCs

pid	Process
4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
2476	svchost.exe
4720	hypersvc.exe

Creates a Windows Service
persistence

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240600453.dll	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
File created	C:\Windows\SysWOW64\hypersvc.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\hypersvc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	hypersvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	hypersvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	hypersvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	hypersvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	hypersvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	hypersvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	hypersvc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe
4720	hypersvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 736	4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe	84
PID 4472 wrote to memory of 736	4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe	84
PID 4472 wrote to memory of 736	4472	677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe	84
PID 736 wrote to memory of 5000	736	cmd.exe	86
PID 736 wrote to memory of 5000	736	cmd.exe	86
PID 736 wrote to memory of 5000	736	cmd.exe	86
PID 2476 wrote to memory of 4720	2476	svchost.exe	97
PID 2476 wrote to memory of 4720	2476	svchost.exe	97
PID 2476 wrote to memory of 4720	2476	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe
"C:\Users\Admin\AppData\Local\Temp\677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:5000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "hypersvc"
1⤵
PID:4944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "hypersvc"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\hypersvc.exe
  C:\Windows\system32\hypersvc.exe "c:\windows\System32\240600453.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\240600453.dll

Filesize
37KB

MD5
a947e6fc2adf885b7f559a9e3a90e611

SHA1
a74bc58fc294e4cae29380ade4924911499eaddf

SHA256
5b2d120e6f1498de909b4821eee6a3b08faf98bf999805e56828b96337613434

SHA512
64f11bcc0172f559a06a719cccfe25aba5f09add1e26cfd9bc26bef5f611ecc2bbb59fe2a17cdb3a5dd4ace4b15882038d7f1b8d0427dcdd180e57b6050e91da

Download Submit
C:\Windows\SysWOW64\hypersvc.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit