gh0strat | 84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
Size

925KB
MD5

394277e5e016005e96ded8342bfeb041
SHA1

26762b55abd3f375dffb662ccf252901d82e2538
SHA256

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd
SHA512

ad73aa78852ee36e67546ecd1b106ab1bc88491ab7a73b154eee1a8d039879d88ec87fe371f2c4fcbcb1d2a3d254ebe0dc970f0d0c4261b2c88c12774c015311
SSDEEP

24576:jkr7jT4WOCtG3r9WyErEwk664hq/ERAfHYI:jOIpj3r9WyEr04yEWvR

Score

10^/10

gh0strat discovery exploit rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4396-147-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat
behavioral2/memory/2988-165-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 5 IoCs

Processes:

jb.exescvhost.exe2.exeMFC71CHS.exelqnplksmvw

pid process

4484 jb.exe
4396 scvhost.exe
4936 2.exe
4904 MFC71CHS.exe
2988 lqnplksmvw
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3280 takeown.exe
2616 icacls.exe
1640 takeown.exe
1688 icacls.exe

pid	process
4484	jb.exe
4396	scvhost.exe
4936	2.exe
4904	MFC71CHS.exe
2988	lqnplksmvw

pid	process
3280	takeown.exe
2616	icacls.exe
1640	takeown.exe
1688	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

2616 icacls.exe
1640 takeown.exe
1688 icacls.exe
3280 takeown.exe

pid	process
2616	icacls.exe
1640	takeown.exe
1688	icacls.exe
3280	takeown.exe

Drops file in System32 directory 5 IoCs

Processes:

2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	2.exe
File created	C:\Windows\SysWOW64\sxload.tmp	2.exe
File opened for modification	C:\Windows\SysWOW64\1237BA9.tmp	2.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	2.exe
File opened for modification	C:\Windows\SysWOW64\1239AFA.tmp	2.exe

Drops file in Program Files directory 1 IoCs

Processes:

2.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx998.tmp 2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2448 2988 WerFault.exe lqnplksmvw
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4652 taskkill.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

scvhost.exelqnplksmvw

pid process

4396 scvhost.exe
4396 scvhost.exe
2988 lqnplksmvw
2988 lqnplksmvw

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx998.tmp	2.exe

pid	pid_target	process	target process
2448	2988	WerFault.exe	lqnplksmvw

pid	process
4652	taskkill.exe

pid	process
4396	scvhost.exe
4396	scvhost.exe
2988	lqnplksmvw
2988	lqnplksmvw

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

2.exetakeown.exetakeown.exetaskkill.exelqnplksmvw

description	pid	process
Token: SeDebugPrivilege	4936	2.exe
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeRestorePrivilege	2988	lqnplksmvw
Token: SeBackupPrivilege	2988	lqnplksmvw
Token: SeBackupPrivilege	2988	lqnplksmvw
Token: SeRestorePrivilege	2988	lqnplksmvw

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

2.exe

pid process

4936 2.exe
4936 2.exe
4936 2.exe
4936 2.exe
4936 2.exe
4936 2.exe
4936 2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scvhost.exe

pid process

4396 scvhost.exe

pid	process
4936	2.exe
4936	2.exe
4936	2.exe
4936	2.exe
4936	2.exe
4936	2.exe
4936	2.exe

pid	process
4396	scvhost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exejb.exe2.execmd.execmd.exe

description	pid	process	target process
PID 5084 wrote to memory of 4484	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 5084 wrote to memory of 4484	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 5084 wrote to memory of 4484	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 5084 wrote to memory of 4396	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 5084 wrote to memory of 4396	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 5084 wrote to memory of 4396	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 5084 wrote to memory of 4936	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 5084 wrote to memory of 4936	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 5084 wrote to memory of 4936	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 5084 wrote to memory of 4904	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 5084 wrote to memory of 4904	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 5084 wrote to memory of 4904	5084	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 4484 wrote to memory of 2988	4484	jb.exe	lqnplksmvw
PID 4484 wrote to memory of 2988	4484	jb.exe	lqnplksmvw
PID 4484 wrote to memory of 2988	4484	jb.exe	lqnplksmvw
PID 4936 wrote to memory of 3956	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 3956	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 3956	4936	2.exe	cmd.exe
PID 3956 wrote to memory of 3280	3956	cmd.exe	takeown.exe
PID 3956 wrote to memory of 3280	3956	cmd.exe	takeown.exe
PID 3956 wrote to memory of 3280	3956	cmd.exe	takeown.exe
PID 3956 wrote to memory of 2616	3956	cmd.exe	icacls.exe
PID 3956 wrote to memory of 2616	3956	cmd.exe	icacls.exe
PID 3956 wrote to memory of 2616	3956	cmd.exe	icacls.exe
PID 4936 wrote to memory of 4668	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 4668	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 4668	4936	2.exe	cmd.exe
PID 4668 wrote to memory of 1640	4668	cmd.exe	takeown.exe
PID 4668 wrote to memory of 1640	4668	cmd.exe	takeown.exe
PID 4668 wrote to memory of 1640	4668	cmd.exe	takeown.exe
PID 4668 wrote to memory of 1688	4668	cmd.exe	icacls.exe
PID 4668 wrote to memory of 1688	4668	cmd.exe	icacls.exe
PID 4668 wrote to memory of 1688	4668	cmd.exe	icacls.exe
PID 4936 wrote to memory of 4652	4936	2.exe	taskkill.exe
PID 4936 wrote to memory of 4652	4936	2.exe	taskkill.exe
PID 4936 wrote to memory of 4652	4936	2.exe	taskkill.exe
PID 4936 wrote to memory of 3684	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 3684	4936	2.exe	cmd.exe
PID 4936 wrote to memory of 3684	4936	2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
"C:\Users\Admin\AppData\Local\Temp\84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\jb.exe
  "C:\Users\Admin\AppData\Local\Temp\jb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4484
- - \??\c:\users\admin\appdata\local\lqnplksmvw
    "C:\Users\Admin\AppData\Local\Temp\jb.exe" a -sc:\users\admin\appdata\local\temp\jb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 324
      4⤵
      Program crash
      PID:2448
- C:\Users\Admin\AppData\Local\Temp\scvhost.exe
  "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\rasadhlp.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\midimap.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "GamePlaza.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 1.bat
    3⤵
    PID:3684
- C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe
  "C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe"
  2⤵
  - Executes dropped EXE
  PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
125B

MD5
3b7dd85c6011192882bad9eda56a79f3

SHA1
898067776de1931b3e35a3ce9728b25c063dbf50

SHA256
f70d667736dd2c4a4739e78b3c052616aaf647a95dbb9e562124337e29793c17

SHA512
9a051dc0c1d6f4df181f97744b71c5e4f0670040c3b8501436c555b299a762cbf5b7e7c3ab6d1b4e414477f2717cab404fe4652e11b5bc008f7e21c84dd80764

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe

Filesize
543KB

MD5
ef3bda86cfc2991018f32092d3b01b25

SHA1
5ddfcfe2ed6fae903473bed84bd96ad83c1c8b15

SHA256
4e0e7d383f30a6f14dd03c01ae74b3cfbe18b980589134e38d96c089fd6d5314

SHA512
8c2d1cbfb4186a8b87cedfe98ca9b35952e13a0c0cbaed21b16d289ebd9e7f053cfde4ccf6e7ce09ab2a6813a949d670790f7ff5ed2722a3cf7a1e9c89e99dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe

Filesize
543KB

MD5
ef3bda86cfc2991018f32092d3b01b25

SHA1
5ddfcfe2ed6fae903473bed84bd96ad83c1c8b15

SHA256
4e0e7d383f30a6f14dd03c01ae74b3cfbe18b980589134e38d96c089fd6d5314

SHA512
8c2d1cbfb4186a8b87cedfe98ca9b35952e13a0c0cbaed21b16d289ebd9e7f053cfde4ccf6e7ce09ab2a6813a949d670790f7ff5ed2722a3cf7a1e9c89e99dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jb.exe

Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jb.exe

Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhost.exe

Filesize
137KB

MD5
02f1a88947345170ed8f01779baa2645

SHA1
4e2cd34f2f8e6ea4e0fa06ba3de7f539aaf96293

SHA256
0121a9201574d372d625d49f1975fd1c90c2cc871bf06cd1bec9f557e9fa1e3b

SHA512
5b9da92bb3dc3f9c9757dbc9deda51eab33e3d5bd0c4ed54dae8b29453c392149aca240a3e7f34b1b3dacc29680dd5b1cbd97b3509e633c6d3486cbd932ebe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhost.exe

Filesize
137KB

MD5
02f1a88947345170ed8f01779baa2645

SHA1
4e2cd34f2f8e6ea4e0fa06ba3de7f539aaf96293

SHA256
0121a9201574d372d625d49f1975fd1c90c2cc871bf06cd1bec9f557e9fa1e3b

SHA512
5b9da92bb3dc3f9c9757dbc9deda51eab33e3d5bd0c4ed54dae8b29453c392149aca240a3e7f34b1b3dacc29680dd5b1cbd97b3509e633c6d3486cbd932ebe75

Download Submit
C:\Users\Admin\AppData\Local\lqnplksmvw

Filesize
22.2MB

MD5
c0ba5460ec2689f6a9da353e3f979867

SHA1
6d224d9721b3f02059f38cda19794d44c00ac123

SHA256
0fb3c0050130d19495c7f664b24c9326ff22c2dd84b9c2cec848a1b6c25e7b17

SHA512
2010e4269846488f96264e1e151db2e5f5cfbdb408300266ae06f6a2ea284b602f5302f107089f0c85df03a43f0f4962d224927fbecdf4eb4a179d5b8c4db11b

Download Submit
\??\c:\users\admin\appdata\local\lqnplksmvw

Filesize
22.2MB

MD5
c0ba5460ec2689f6a9da353e3f979867

SHA1
6d224d9721b3f02059f38cda19794d44c00ac123

SHA256
0fb3c0050130d19495c7f664b24c9326ff22c2dd84b9c2cec848a1b6c25e7b17

SHA512
2010e4269846488f96264e1e151db2e5f5cfbdb408300266ae06f6a2ea284b602f5302f107089f0c85df03a43f0f4962d224927fbecdf4eb4a179d5b8c4db11b

Download Submit
memory/1640-159-0x0000000000000000-mapping.dmp

Download
memory/1688-160-0x0000000000000000-mapping.dmp

Download
memory/2616-157-0x0000000000000000-mapping.dmp

Download
memory/2988-165-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2988-151-0x0000000000000000-mapping.dmp

Download
memory/2988-164-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2988-154-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3280-156-0x0000000000000000-mapping.dmp

Download
memory/3684-162-0x0000000000000000-mapping.dmp

Download
memory/3956-155-0x0000000000000000-mapping.dmp

Download
memory/4396-147-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4396-136-0x0000000000000000-mapping.dmp

Download
memory/4484-146-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4484-133-0x0000000000000000-mapping.dmp

Download
memory/4652-161-0x0000000000000000-mapping.dmp

Download
memory/4668-158-0x0000000000000000-mapping.dmp

Download
memory/4904-142-0x0000000000000000-mapping.dmp

Download
memory/4936-139-0x0000000000000000-mapping.dmp

Download
memory/5084-132-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/5084-145-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download