gh0strat | c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43

General

Target

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
Size

9.4MB
MD5

94d209ac5cd848317a7639b6a643960c
SHA1

db97abdeda046aee264e9b25072b78a4489a2a8a
SHA256

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43
SHA512

763f5ab1b322c802cf074b2545bb078b61271b26a63d54defc17dca0030ab4d4733951d55ecf107884b0e948d6c5946f39a44201e1763d8891a8e833236aeeae
SSDEEP

196608:c9xvu742tJevE8n2jpeChoKNryRa44hI8:qvqJOnquUB

Score

10^/10

gh0strat oss_ak persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259398446.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
behavioral1/memory/2668-51-0x0000000000400000-0x0000000001627000-memory.dmp	detect_ak_stuff

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GLk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\259398446.bat"	GLk.exe

Executes dropped EXE 3 IoCs

Processes:

GLk.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchist.exe

pid process

2208 GLk.exe
2668 HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2176 svchist.exe

pid	process
2208	GLk.exe
2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2176	svchist.exe

Loads dropped DLL 11 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exeGLk.exesvchost.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchist.exeWerFault.exe

pid	process
2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2208	GLk.exe
2980	svchost.exe
2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2980	svchost.exe
2176	svchist.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	upx
behavioral1/memory/2924-23-0x0000000003EC0000-0x00000000050E7000-memory.dmp	upx
behavioral1/memory/2668-24-0x0000000000400000-0x0000000001627000-memory.dmp	upx
behavioral1/memory/2668-31-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral1/memory/2668-34-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral1/memory/2668-33-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral1/memory/2668-32-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral1/memory/2668-30-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral1/memory/2668-51-0x0000000000400000-0x0000000001627000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

svchost.exeGLk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File created	C:\Windows\SysWOW64\259398446.bat	GLk.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2520 2668 WerFault.exe HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

pid process

2924 c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

pid	pid_target	process	target process
2520	2668	WerFault.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

pid	process
2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchost.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

description	pid	process	target process
PID 2924 wrote to memory of 2208	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 2924 wrote to memory of 2208	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 2924 wrote to memory of 2208	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 2924 wrote to memory of 2208	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 2924 wrote to memory of 2668	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 2924 wrote to memory of 2668	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 2924 wrote to memory of 2668	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 2924 wrote to memory of 2668	2924	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 2980 wrote to memory of 2176	2980	svchost.exe	svchist.exe
PID 2980 wrote to memory of 2176	2980	svchost.exe	svchist.exe
PID 2980 wrote to memory of 2176	2980	svchost.exe	svchist.exe
PID 2980 wrote to memory of 2176	2980	svchost.exe	svchist.exe
PID 2668 wrote to memory of 2520	2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	WerFault.exe
PID 2668 wrote to memory of 2520	2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	WerFault.exe
PID 2668 wrote to memory of 2520	2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	WerFault.exe
PID 2668 wrote to memory of 2520	2668	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
"C:\Users\Admin\AppData\Local\Temp\c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208

C:\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
C:\Users\Admin\AppData\Local\Temp\\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 432
3⤵
- Loads dropped DLL
- Program crash
PID:2520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:2076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\259398446.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
7e77a529093ae4048a9cf756bb7058bd

SHA1
853ebd86d78bb8fbced937bde257634599001e09

SHA256
9d6cc1b56054ee63996263c26c1d75cdd8220c2f4718545cfc9150ee3e216178

SHA512
d26443427d56e859344c4535fa2176649b136063de6324901323732cf68dd5498f2475aeeb94ac40ab78c2d1968d7a763ad5c99d1ebe90090190d4dc9d7d95f3

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll
Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
\Users\Admin\AppData\Local\Temp\GLk.exe
Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
Filesize
8.3MB

MD5
68182c831aecfbcb52540d7f628c8b86

SHA1
6eb46e3ee58f4f5f93a570b051cce0210d37180c

SHA256
83e5dddf72dc7224af106de7d387f5854f20619020abb3f5ac97bd4ac1e760af

SHA512
41c938a00d436edae5afdaa714dfa8f650b960acd48685bc89392b33bbc43a12d57add32eaf66fc7816e8057fb245f1d5db8c6d9e8669ba9f78a8f55a8f0ff86

Download Submit
\Windows\SysWOW64\259398446.bat
Filesize
51KB

MD5
a4f95328aca88cd6e446b521bb72dcf9

SHA1
55e6d457f452df8db80a8dcbb94e618cd2d44b1e

SHA256
04449e655aa2249f48a7d05ac37d6ed1d0cd7c249248dd5264a5a266230d2234

SHA512
ad02861af17d3b8de33fef3cf943fdf2c359c713d68fc1b72bf0a367b1f0e430df671f100063629595f7717363ba643ffcc560e65a14680efd078a7a4721ce11

Download Submit
\Windows\SysWOW64\svchist.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2668-30-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2668-31-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2668-34-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2668-33-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2668-32-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2668-36-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2668-24-0x0000000000400000-0x0000000001627000-memory.dmp

Filesize
18.2MB

Download
memory/2668-51-0x0000000000400000-0x0000000001627000-memory.dmp

Filesize
18.2MB

Download
memory/2924-25-0x0000000003EC0000-0x00000000050E7000-memory.dmp

Filesize
18.2MB

Download
memory/2924-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2924-52-0x0000000003EC0000-0x00000000050E7000-memory.dmp

Filesize
18.2MB

Download
memory/2924-23-0x0000000003EC0000-0x00000000050E7000-memory.dmp

Filesize
18.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads