gh0strat | 2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
Size

4.3MB
MD5

576593affb4c49d46466f58e617d3be7
SHA1

d3b9288e85a5e5a69209de10f20837153446be24
SHA256

2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae
SHA512

346b04b554615e5bb4afef83df4498bbfcc9001c5d6179e6ef611c898e1742d1e521bb37170c10cfa0dbf4a5565c07680536d614ef8b21c8b75a49a411b802b1
SSDEEP

98304:92SVMD8unlE3SfhUtKnUytb70vu5BteBb:1EnlEC+tKUyx0vWteBb

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

C:\Windows\SysWOW64\240647765.bat family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
persistence

Terminal Services DLL
T1505.005

Processes:

look2.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240647765.bat" look2.exe
Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exesvchcst.exe

pid process

840 look2.exe
2236 HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
5016 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

840 look2.exe
692 svchost.exe
5016 svchcst.exe

resource	yara_rule
C:\Windows\SysWOW64\240647765.bat	family_gh0strat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240647765.bat"	look2.exe

pid	process
840	look2.exe
2236	HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
5016	svchcst.exe

pid	process
840	look2.exe
692	svchost.exe
5016	svchcst.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240647765.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4536 840 WerFault.exe look2.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid process

1516 2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
1516 2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

description pid process

Token: SeDebugPrivilege 2236 HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid process

2236 HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid process

1516 2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
1516 2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid	pid_target	process	target process
4536	840	WerFault.exe	look2.exe

pid	process
1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

description	pid	process
Token: SeDebugPrivilege	2236	HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid	process
2236	HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

pid	process
1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exesvchost.exe

description	pid	process	target process
PID 1516 wrote to memory of 840	1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe	look2.exe
PID 1516 wrote to memory of 840	1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe	look2.exe
PID 1516 wrote to memory of 840	1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe	look2.exe
PID 1516 wrote to memory of 2236	1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe	HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
PID 1516 wrote to memory of 2236	1516	2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe	HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
PID 692 wrote to memory of 5016	692	svchost.exe	svchcst.exe
PID 692 wrote to memory of 5016	692	svchost.exe	svchcst.exe
PID 692 wrote to memory of 5016	692	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
"C:\Users\Admin\AppData\Local\Temp\2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 564
3⤵
- Program crash
PID:4536

C:\Users\Admin\AppData\Local\Temp\HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
C:\Users\Admin\AppData\Local\Temp\HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240647765.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 840 -ip 840
1⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_2b26ce77a2e6e514bd0a9f86c47bb726f97b5a40e89754c393da5df1dca2afae.exe
Filesize
3.1MB

MD5
184ce287a986cf1e8918f06e2079fe52

SHA1
91a109b51e5d5cdb83b68d0f4acc81d662db3b2d

SHA256
f47807490d4cd0a03e0dc16fed36754e33cbcf530505f0a32b5408a8d5b6972b

SHA512
ec01739a04c882ef7de36bc59a72a574e880dc2caa7e877efdd8ab922bf254ca0df82e68e1bb0ebbd9695438e565678cc863ebe86f5dfab196140958d911ebd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe
Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240647765.bat
Filesize
51KB

MD5
100e5742f14d75303666eca801f566f3

SHA1
69cef9f07ca3235a301616a080f35730668b0cf9

SHA256
65fb89b3b092ae0ed427b0e9410476280fb8d5fc4bf529af01ea233ab56fd7ef

SHA512
53e84f1152331a6f19dace697649af82b20d1697b7612321c2462f8a4a0567ca7a0683de9080b72b55dd9b7c6e3c5a27781fb382864c9a717a76492a6b731272

Download Submit
C:\Windows\SysWOW64\svchcst.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2236-13-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

Filesize
8KB

Download
memory/2236-23-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-14-0x0000024F69420000-0x0000024F69734000-memory.dmp

Filesize
3.1MB

Download
memory/2236-28-0x0000024F6D9D0000-0x0000024F6DCA0000-memory.dmp

Filesize
2.8MB

Download
memory/2236-31-0x0000024F72C50000-0x0000024F72C88000-memory.dmp

Filesize
224KB

Download
memory/2236-32-0x0000024F72C20000-0x0000024F72C2E000-memory.dmp

Filesize
56KB

Download
memory/2236-34-0x0000024F72A20000-0x0000024F72AC8000-memory.dmp

Filesize
672KB

Download
memory/2236-43-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

Filesize
8KB

Download
memory/2236-44-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

Filesize
10.8MB

Download