gh0strat | 7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8

General

Target

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
Size

12.9MB
MD5

f57575642e162b812721afe083ee8398
SHA1

81848911863bed5e2a1cabe5193aed071cd5910d
SHA256

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8
SHA512

fac0036f6206d12ca78ec8f5673c433cd9ceb7c7bb4bff7d0300e355bdf4d0f92bd0437abe33e0b53ac3bfab8df2c6219dda3258f79ac744d47b24f28b2ab61b
SSDEEP

196608:b75bAxEXHYN8r1j8Uu3glpFRX9eDo0TSrow3P9R+EwVEzufFb:f5bAxEXtZoj3wRtWoHl3P7teE6b

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259401145.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259401145.bat"	look2.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exesvchcst.exe

pid process

2980 look2.exe
2732 HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2456 svchcst.exe

pid	process
2980	look2.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2456	svchcst.exe

Loads dropped DLL 6 IoCs

Processes:

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exelook2.exesvchost.exesvchcst.exe

pid	process
1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2980	look2.exe
2604	svchost.exe
1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2604	svchost.exe
2456	svchcst.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

description ioc process

File opened (read-only) \??\F: HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

description	ioc	process
File opened (read-only)	\??\F:	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259401145.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exeHD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

pid	process
1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exeHD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

pid	process
1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
2732	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exesvchost.exe

description	pid	process	target process
PID 1692 wrote to memory of 2980	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	look2.exe
PID 1692 wrote to memory of 2980	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	look2.exe
PID 1692 wrote to memory of 2980	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	look2.exe
PID 1692 wrote to memory of 2980	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	look2.exe
PID 1692 wrote to memory of 2732	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
PID 1692 wrote to memory of 2732	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
PID 1692 wrote to memory of 2732	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
PID 1692 wrote to memory of 2732	1692	7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe	HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
PID 2604 wrote to memory of 2456	2604	svchost.exe	svchcst.exe
PID 2604 wrote to memory of 2456	2604	svchost.exe	svchcst.exe
PID 2604 wrote to memory of 2456	2604	svchost.exe	svchcst.exe
PID 2604 wrote to memory of 2456	2604	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
"C:\Users\Admin\AppData\Local\Temp\7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
  C:\Users\Admin\AppData\Local\Temp\HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259401145.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
717e21730e7525de63936921a47cc13b

SHA1
5e3150d99a6cf55fa3d821478dce1cf91417fbe9

SHA256
0445c20e6fc89ca6fb8e31df69509d26e711d585a75e6ed02b3e6dbf22e6c668

SHA512
f6c1cfbb6e3ee88cf9ff11f342279abab650709da60aad5011602441c27711870c84b2607b718c224926ff7de2d99534192088df511bd9fcdda0849563b55888

Download Submit
\Users\Admin\AppData\Local\Temp\HD_7d553f225dc9bd6a31d4f1c36a1531dc5cbce295bab80a5857420beff2cf54e8.exe

Filesize
11.8MB

MD5
254b45ec5f99503435f9bfb72422ec42

SHA1
66190834d2fbad2b0ce5cda7fa3682090008723a

SHA256
490b2a587f73db5f8ff00102b50f5dde552c5533632a2610a5fe01326ae79767

SHA512
1aeccd7b9963b28f287bb173e9f157f9753c2acb15316e213d8ff043ef86b4a0fdccce5e413ab3556b26bd1d1f2d5419a1db50d545e26d0acb13e92a525d9a05

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
\Windows\SysWOW64\259401145.bat

Filesize
51KB

MD5
be6d888fc60f2e13c886948e07baeaf7

SHA1
3da6d5a30740b5e0a33ceb2f4d70baa9fb171f88

SHA256
d4efdc645fd63d46cc28ee9e2b2541bbc9f2f2b55773105944e3ef46e697dd01

SHA512
6ff8acb88e79d34b1b1994ac3d09f5a70f660d98460f84ec7c2cf25684ab3f1cfd0f01eeac3f2e76b0ca35be12c3a8a9e2d989c6eae49525af42496dceb7147e

Download Submit
\Windows\SysWOW64\svchcst.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1692-19-0x00000000023B0000-0x0000000002A8C000-memory.dmp

Filesize
6.9MB

Download
memory/1692-48-0x00000000023B0000-0x0000000002A8C000-memory.dmp

Filesize
6.9MB

Download
memory/2732-20-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/2732-27-0x0000000075900000-0x0000000075901000-memory.dmp

Filesize
4KB

Download
memory/2732-23-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

Filesize
4KB

Download
memory/2732-21-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

Filesize
4KB

Download
memory/2732-49-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads