gh0strat | 2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730

Analysis

max time kernel
145s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe
Size

1.8MB
MD5

73ffb7989fc975f95ab26d55c408ad86
SHA1

165dfd80b6fe70f967144bbeec003efea6fa8af0
SHA256

2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730
SHA512

93e8e895384b23a68c1408ac53cc41e9f9bdf58707eb2975057e25779abeb890ff50e8f04783d7b73c4c1f2e16346f2b886074f2bb9c70eff1ce4c7c9ec580b9
SSDEEP

24576:F9kfMQQMjWHOFaaJF+aqpWBveuulSvOzPE83LptxnW7gsc24V0CNZUK:3HSjhFZ+aq9uu4S8YLNnWZ46CNZ/

Score

10^/10

gh0strat aspackv2 rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022e48-144.dat	family_gh0strat
behavioral2/files/0x0009000000022e48-145.dat	family_gh0strat
behavioral2/files/0x0009000000022e48-146.dat	family_gh0strat
behavioral2/files/0x0009000000022e48-148.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000022e2d-139.dat	aspack_v212_v242
behavioral2/files/0x0009000000022e2d-140.dat	aspack_v212_v242
behavioral2/files/0x000a000000022e3c-142.dat	aspack_v212_v242
behavioral2/files/0x000a000000022e3c-143.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
5004	1.exe
3700	2.exe
4720	gtihbnjsmr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe

Loads dropped DLL 3 IoCs

pid	Process
3548	svchost.exe
1816	svchost.exe
2580	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\htefqslhrp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hfqikyhicx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hugpuqpceh	svchost.exe
File created	C:\Windows\SysWOW64\hlahkgcqrj	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1328	3548	WerFault.exe	86
1764	1816	WerFault.exe	90
3956	2580	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	gtihbnjsmr
4720	gtihbnjsmr

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeRestorePrivilege	4720	gtihbnjsmr
Token: SeBackupPrivilege	4720	gtihbnjsmr
Token: SeBackupPrivilege	4720	gtihbnjsmr
Token: SeRestorePrivilege	4720	gtihbnjsmr
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeRestorePrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeRestorePrivilege	3548	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeRestorePrivilege	1816	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeSecurityPrivilege	1816	svchost.exe
Token: SeSecurityPrivilege	1816	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeSecurityPrivilege	1816	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 5004	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	81
PID 3584 wrote to memory of 5004	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	81
PID 3584 wrote to memory of 5004	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	81
PID 3584 wrote to memory of 3700	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	84
PID 3584 wrote to memory of 3700	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	84
PID 3584 wrote to memory of 3700	3584	2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe	84
PID 3700 wrote to memory of 4720	3700	2.exe	85
PID 3700 wrote to memory of 4720	3700	2.exe	85
PID 3700 wrote to memory of 4720	3700	2.exe	85

C:\Users\Admin\AppData\Local\Temp\2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe
"C:\Users\Admin\AppData\Local\Temp\2822f04c9c70c138e3253c157bf569ace4761849a97ec35eb5768a78c9989730.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3700
- - \??\c:\users\admin\appdata\local\gtihbnjsmr
    "C:\Users\Admin\AppData\Local\Temp\2.exe" a -sc:\users\admin\appdata\local\temp\2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 764
  2⤵
  - Program crash
  PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3548 -ip 3548
1⤵
PID:1796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 824
  2⤵
  - Program crash
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1816 -ip 1816
1⤵
PID:4488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 680
  2⤵
  - Program crash
  PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2580 -ip 2580
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\ipmce.cc3

Filesize
20.0MB

MD5
a44b1f7650b239e9d4bd9abe86c18de0

SHA1
9b70c7449c7513c6a4e4266088815de9dd3ff566

SHA256
9d671cd3ef982458c4c1de3db8b5d7f0c84c210e470a5bc7a5dd676aa8b96d37

SHA512
57e316616e33c0048f7f21e3d303ff2cb2d1db4dc906dddbcc7268630716e8270be20595a104bd059660fb3561d4f2c57e7a111e9177de55b577e0c98c66ee07

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\ipmce.cc3

Filesize
20.0MB

MD5
a44b1f7650b239e9d4bd9abe86c18de0

SHA1
9b70c7449c7513c6a4e4266088815de9dd3ff566

SHA256
9d671cd3ef982458c4c1de3db8b5d7f0c84c210e470a5bc7a5dd676aa8b96d37

SHA512
57e316616e33c0048f7f21e3d303ff2cb2d1db4dc906dddbcc7268630716e8270be20595a104bd059660fb3561d4f2c57e7a111e9177de55b577e0c98c66ee07

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\ipmce.cc3

Filesize
20.0MB

MD5
a44b1f7650b239e9d4bd9abe86c18de0

SHA1
9b70c7449c7513c6a4e4266088815de9dd3ff566

SHA256
9d671cd3ef982458c4c1de3db8b5d7f0c84c210e470a5bc7a5dd676aa8b96d37

SHA512
57e316616e33c0048f7f21e3d303ff2cb2d1db4dc906dddbcc7268630716e8270be20595a104bd059660fb3561d4f2c57e7a111e9177de55b577e0c98c66ee07

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.1MB

MD5
7d9b1348278ceab446bdf40479594094

SHA1
e1c1f9e19664daf9413b34e767866bae822a54c5

SHA256
2274104d2c4df50ba1827f1e4d1d619d235b49213912b09552eb9c16f72ef407

SHA512
db2b3bb99446c9496c6196ce993e2fe825867b3f4e4051fbf9660cb5c01c00ad22569b2502777b398473d447a306ad7009f5de3d284f086007f7b40b034c7996

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.1MB

MD5
7d9b1348278ceab446bdf40479594094

SHA1
e1c1f9e19664daf9413b34e767866bae822a54c5

SHA256
2274104d2c4df50ba1827f1e4d1d619d235b49213912b09552eb9c16f72ef407

SHA512
db2b3bb99446c9496c6196ce993e2fe825867b3f4e4051fbf9660cb5c01c00ad22569b2502777b398473d447a306ad7009f5de3d284f086007f7b40b034c7996

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
98KB

MD5
3c67b89fd6c8e1d131cd6c21de2f648f

SHA1
d5d98aa24c7bf260abc8e7dc8ffe41aecc0fe6d0

SHA256
f884d9faae676215b12673907004836f80af86f5686d2c80f39f4512d793775f

SHA512
9e1e5c8880176c760b72b7e4211f837b4002e9e2c4ce84e34544e2b3d42208ea76e82490cee423e2e93ef7afa57bc899e90364b0cf016283e555c2e48b54a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
98KB

MD5
3c67b89fd6c8e1d131cd6c21de2f648f

SHA1
d5d98aa24c7bf260abc8e7dc8ffe41aecc0fe6d0

SHA256
f884d9faae676215b12673907004836f80af86f5686d2c80f39f4512d793775f

SHA512
9e1e5c8880176c760b72b7e4211f837b4002e9e2c4ce84e34544e2b3d42208ea76e82490cee423e2e93ef7afa57bc899e90364b0cf016283e555c2e48b54a95a

Download Submit
C:\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
24.0MB

MD5
c3b3c5ae71c4d357612f9f4251cb8015

SHA1
52795dc19dec8e18b5ad402884d8bf386e17963f

SHA256
12cecdadddd2e43aee1492a9bc10d057cfd0a051992ca7090617361bc790ab27

SHA512
f858d0abf472eea24217831347b11e4e891c927b8a14514f372bd5538d25c95049bc4be2d851e97acce127222ab3dc683ca29b610deb33e997313dd3d2e48dfd

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
d3e6e037a67e6b9d08b79f245d34f8a4

SHA1
9e94895375be73560c66a81ba3c2e41551d383cb

SHA256
96acc579f522116388209b6decae40b8a19659754589511bfbc885abc6a197f3

SHA512
ed56c41fa590fe681b14478bf7b7266de42341c36ce22b1745a0f39db013beed518baa9c051df91ab786a7af73196c3d77f33b0e56b4f7503fb175974ff03823

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
0418f3e094a908093c93fa28fad1c3a7

SHA1
7b40cb8dd6632cdd13fa1d6b7685d47ea9686fa0

SHA256
b15785725db12be456db3b943cf2887c830c68b75c8850cc9fa0ad9c818c42ad

SHA512
85f5744c5ca175f0135a45919b7bb69a70b286ebf5d5b37d661c14b4ef0ac3a6bbedf48b01f8cca40f77eb2486dba81483a014e8a3d9569f9f7e92fd960cf45c

Download Submit
\??\c:\programdata\drm\%sessionname%\ipmce.cc3

Filesize
20.0MB

MD5
a44b1f7650b239e9d4bd9abe86c18de0

SHA1
9b70c7449c7513c6a4e4266088815de9dd3ff566

SHA256
9d671cd3ef982458c4c1de3db8b5d7f0c84c210e470a5bc7a5dd676aa8b96d37

SHA512
57e316616e33c0048f7f21e3d303ff2cb2d1db4dc906dddbcc7268630716e8270be20595a104bd059660fb3561d4f2c57e7a111e9177de55b577e0c98c66ee07

Download Submit
\??\c:\users\admin\appdata\local\gtihbnjsmr

Filesize
24.0MB

MD5
c3b3c5ae71c4d357612f9f4251cb8015

SHA1
52795dc19dec8e18b5ad402884d8bf386e17963f

SHA256
12cecdadddd2e43aee1492a9bc10d057cfd0a051992ca7090617361bc790ab27

SHA512
f858d0abf472eea24217831347b11e4e891c927b8a14514f372bd5538d25c95049bc4be2d851e97acce127222ab3dc683ca29b610deb33e997313dd3d2e48dfd

Download Submit