gh0strat | 1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403

Analysis

max time kernel
165s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
Size

236KB
MD5

3d80e6a989ea622e375699511f4d5dee
SHA1

964cd3555cb021285fc003f1476b2025097a56e5
SHA256

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
SHA512

012c2eec7c84c6a0a90a02a2307a5a560e19502f10e73af1ffc82903282fdf0eb25d1b2959662095c9857ac778b214f8a8e54319160598e3c6ec49d26bcff98a
SSDEEP

6144:dQqjB8lD9jRWWPSRf5lRuGMJnuDoVg5cXa54CtrINR0A:WlFR3Yf5l2uMVg5cXl6rBA

Score

10^/10

gh0strat discovery exploit rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2216-141-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2216-142-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2216-146-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

server.execcc.exe

pid process

2216 server.exe
2256 ccc.exe
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4788 takeown.exe
4148 icacls.exe
1520 takeown.exe
1964 icacls.exe
224 takeown.exe
5004 icacls.exe

pid	process
2216	server.exe
2256	ccc.exe

pid	process
4788	takeown.exe
4148	icacls.exe
1520	takeown.exe
1964	icacls.exe
224	takeown.exe
5004	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4148 icacls.exe
1520 takeown.exe
1964 icacls.exe
224 takeown.exe
5004 icacls.exe
4788 takeown.exe

pid	process
4148	icacls.exe
1520	takeown.exe
1964	icacls.exe
224	takeown.exe
5004	icacls.exe
4788	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

ccc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	ccc.exe
File opened for modification	C:\Windows\SysWOW64\123E824.tmp	ccc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	ccc.exe
File opened for modification	C:\Windows\SysWOW64\123EDC3.tmp	ccc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	ccc.exe
File created	C:\Windows\SysWOW64\sxload.tmp	ccc.exe
File opened for modification	C:\Windows\SysWOW64\123DF59.tmp	ccc.exe

Drops file in Program Files directory 1 IoCs

Processes:

ccc.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxcw.tmp ccc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3356 taskkill.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

server.execcc.exe

pid process

2216 server.exe
2216 server.exe
2256 ccc.exe
2256 ccc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ccc.exetakeown.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2256 ccc.exe
Token: SeTakeOwnershipPrivilege 4788 takeown.exe
Token: SeDebugPrivilege 3356 taskkill.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

ccc.exe

pid process

2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe
2256 ccc.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxcw.tmp	ccc.exe

pid	process
3356	taskkill.exe

pid	process
2216	server.exe
2216	server.exe
2256	ccc.exe
2256	ccc.exe

description	pid	process
Token: SeDebugPrivilege	2256	ccc.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeDebugPrivilege	3356	taskkill.exe

pid	process
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe
2256	ccc.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.execcc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4356 wrote to memory of 2216	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 4356 wrote to memory of 2216	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 4356 wrote to memory of 2216	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 4356 wrote to memory of 2256	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 4356 wrote to memory of 2256	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 4356 wrote to memory of 2256	4356	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 2256 wrote to memory of 4340	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 4340	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 4340	2256	ccc.exe	cmd.exe
PID 4340 wrote to memory of 4892	4340	cmd.exe	cmd.exe
PID 4340 wrote to memory of 4892	4340	cmd.exe	cmd.exe
PID 4340 wrote to memory of 4892	4340	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4788	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 4788	4892	cmd.exe	takeown.exe
PID 4892 wrote to memory of 4788	4892	cmd.exe	takeown.exe
PID 4340 wrote to memory of 4148	4340	cmd.exe	icacls.exe
PID 4340 wrote to memory of 4148	4340	cmd.exe	icacls.exe
PID 4340 wrote to memory of 4148	4340	cmd.exe	icacls.exe
PID 2256 wrote to memory of 2084	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 2084	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 2084	2256	ccc.exe	cmd.exe
PID 2084 wrote to memory of 3088	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 3088	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 3088	2084	cmd.exe	cmd.exe
PID 3088 wrote to memory of 1520	3088	cmd.exe	takeown.exe
PID 3088 wrote to memory of 1520	3088	cmd.exe	takeown.exe
PID 3088 wrote to memory of 1520	3088	cmd.exe	takeown.exe
PID 2084 wrote to memory of 1964	2084	cmd.exe	icacls.exe
PID 2084 wrote to memory of 1964	2084	cmd.exe	icacls.exe
PID 2084 wrote to memory of 1964	2084	cmd.exe	icacls.exe
PID 2256 wrote to memory of 2816	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 2816	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 2816	2256	ccc.exe	cmd.exe
PID 2816 wrote to memory of 3076	2816	cmd.exe	cmd.exe
PID 2816 wrote to memory of 3076	2816	cmd.exe	cmd.exe
PID 2816 wrote to memory of 3076	2816	cmd.exe	cmd.exe
PID 3076 wrote to memory of 224	3076	cmd.exe	takeown.exe
PID 3076 wrote to memory of 224	3076	cmd.exe	takeown.exe
PID 3076 wrote to memory of 224	3076	cmd.exe	takeown.exe
PID 2816 wrote to memory of 5004	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 5004	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 5004	2816	cmd.exe	icacls.exe
PID 2256 wrote to memory of 3356	2256	ccc.exe	taskkill.exe
PID 2256 wrote to memory of 3356	2256	ccc.exe	taskkill.exe
PID 2256 wrote to memory of 3356	2256	ccc.exe	taskkill.exe
PID 2256 wrote to memory of 3516	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 3516	2256	ccc.exe	cmd.exe
PID 2256 wrote to memory of 3516	2256	ccc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
"C:\Users\Admin\AppData\Local\Temp\1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\temp\server.exe
"C:\Windows\temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\temp\ccc.exe
"C:\Windows\temp\ccc.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GTSaloon.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
3⤵
PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\123DF59.tmp

Filesize
192KB

MD5
e3f75f63f56789e5a3edb85f17933594

SHA1
d4a9ad438971294099f1b14b67f2d2f33ca19498

SHA256
8c6cbc631ec4013a3b99726f6bcaf3f8e11cb3f64a3ebf68b6e0e69cfaad54ce

SHA512
bfb732a68b5c5072caa0d4303bfdbaf0a74ee6bcd1cb2dbb32e0bd041a6693beff641124be57dacf4e0e1886e5e2988bcbe1e597f5a4aa8933ed5dd2de4c1a34

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
C:\Windows\Temp\ccc.exe

Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
C:\Windows\Temp\server.exe

Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
C:\Windows\temp\1.bat

Filesize
95B

MD5
49d854d9f0a8f920313b0b1137da5b5d

SHA1
c2b4cb3aba3e281906927faf339c87d1522f7176

SHA256
962c9148fd979db955f10b81d8aa6229faa0c83c842110046dc2d2e959e6fcc5

SHA512
438df8dc587604f84955be19175776ca5d3f194451b13d39cfff7e769b203506e0d2cde484597c3b206998563b9de96f328df3d2bdcff11f2e689dce4b14f375

Download Submit
C:\Windows\temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\temp\ccc.exe

Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
C:\Windows\temp\server.exe

Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
memory/224-159-0x0000000000000000-mapping.dmp

Download
memory/1520-152-0x0000000000000000-mapping.dmp

Download
memory/1964-153-0x0000000000000000-mapping.dmp

Download
memory/2084-149-0x0000000000000000-mapping.dmp

Download
memory/2216-141-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2216-146-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2216-142-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2216-132-0x0000000000000000-mapping.dmp

Download
memory/2216-139-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2256-135-0x0000000000000000-mapping.dmp

Download
memory/2816-156-0x0000000000000000-mapping.dmp

Download
memory/3076-158-0x0000000000000000-mapping.dmp

Download
memory/3088-151-0x0000000000000000-mapping.dmp

Download
memory/3356-163-0x0000000000000000-mapping.dmp

Download
memory/3516-164-0x0000000000000000-mapping.dmp

Download
memory/4148-148-0x0000000000000000-mapping.dmp

Download
memory/4340-138-0x0000000000000000-mapping.dmp

Download
memory/4788-147-0x0000000000000000-mapping.dmp

Download
memory/4892-145-0x0000000000000000-mapping.dmp

Download
memory/5004-160-0x0000000000000000-mapping.dmp

Download