gh0strat | 78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe
Size

150KB
MD5

30c583257b552ec79cf83f04113d7244
SHA1

83fb0454eac8325e88a249df73c1d775a6b13873
SHA256

78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923
SHA512

fea3ed19967ab5fd48974f7afee6489264b7ef3c230e34786bb295408fdcc1cae3c99418b67aa74ace6c7d5438c69793ad1bf55b7d9bf4cc49ce51fa6ccb05d9
SSDEEP

3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2j:c5MK2orQ7XAgzahdJ3s5YKIvY

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1456-63-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1456	ind61B1.tmp

Loads dropped DLL 1 IoCs

pid	Process
876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	ind61B1.tmp
File created	C:\Program Files\Common Files\lanmao.dll	ind61B1.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	ind61B1.tmp
File created	C:\Windows\Installer\6ea620.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6ea620.msi	msiexec.exe
File created	C:\Windows\Installer\6ea622.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe
1468	msiexec.exe
1468	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	1468	msiexec.exe
Token: SeCreateTokenPrivilege	2036	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2036	msiexec.exe
Token: SeLockMemoryPrivilege	2036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2036	msiexec.exe
Token: SeMachineAccountPrivilege	2036	msiexec.exe
Token: SeTcbPrivilege	2036	msiexec.exe
Token: SeSecurityPrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeLoadDriverPrivilege	2036	msiexec.exe
Token: SeSystemProfilePrivilege	2036	msiexec.exe
Token: SeSystemtimePrivilege	2036	msiexec.exe
Token: SeProfSingleProcessPrivilege	2036	msiexec.exe
Token: SeIncBasePriorityPrivilege	2036	msiexec.exe
Token: SeCreatePagefilePrivilege	2036	msiexec.exe
Token: SeCreatePermanentPrivilege	2036	msiexec.exe
Token: SeBackupPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeShutdownPrivilege	2036	msiexec.exe
Token: SeDebugPrivilege	2036	msiexec.exe
Token: SeAuditPrivilege	2036	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2036	msiexec.exe
Token: SeChangeNotifyPrivilege	2036	msiexec.exe
Token: SeRemoteShutdownPrivilege	2036	msiexec.exe
Token: SeUndockPrivilege	2036	msiexec.exe
Token: SeSyncAgentPrivilege	2036	msiexec.exe
Token: SeEnableDelegationPrivilege	2036	msiexec.exe
Token: SeManageVolumePrivilege	2036	msiexec.exe
Token: SeImpersonatePrivilege	2036	msiexec.exe
Token: SeCreateGlobalPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 1456	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	28
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29
PID 876 wrote to memory of 2036	876	78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe	29

C:\Users\Admin\AppData\Local\Temp\78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe
"C:\Users\Admin\AppData\Local\Temp\78da7b89d3cdbc4b90ea3b0311ebf63e1fff22936ef6e1433b0ea46555a7e923.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\ind61B1.tmp
  C:\Users\Admin\AppData\Local\Temp\ind61B1.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1456
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSF67~1.INI /quiet
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INSF67~1.INI

Filesize
66KB

MD5
1a629fec0a3f2fe6dbe8e80a00d04092

SHA1
6278c11188570b21add2d2a1751900a13f485ac4

SHA256
1f32504291b371fbb0d51ef892c27450125b85c735f94ca793f36f4e218ebf0d

SHA512
96c51385599a471835f016025a62a8eb1658e9a521de5431a66362accef00dc56ee68e182aa64dde62de633389ca8068049342a6972556d6da7aeb1f59a61427

Download Submit
C:\Users\Admin\AppData\Local\Temp\ind61B1.tmp

Filesize
327.1MB

MD5
f5fd546ad95fcc1906ceb01de20682bd

SHA1
2be9daf33f12425a76d011853ff89bb4cd70e4ec

SHA256
ac71ed975e8bf22eb744f273f63bbd294f6d7747e6f4e46bead8432361ccd2c1

SHA512
ae7b9260fcc02b4ad50e698f38484c29e79841e3f427e7ef3756286c22019a30f42fa49e6f41418386675d07a77efdeca27d25a8b665c3a8287857fe3d610c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ind61B1.tmp

Filesize
327.1MB

MD5
f5fd546ad95fcc1906ceb01de20682bd

SHA1
2be9daf33f12425a76d011853ff89bb4cd70e4ec

SHA256
ac71ed975e8bf22eb744f273f63bbd294f6d7747e6f4e46bead8432361ccd2c1

SHA512
ae7b9260fcc02b4ad50e698f38484c29e79841e3f427e7ef3756286c22019a30f42fa49e6f41418386675d07a77efdeca27d25a8b665c3a8287857fe3d610c0c

Download Submit
\Users\Admin\AppData\Local\Temp\ind61B1.tmp

Filesize
327.1MB

MD5
f5fd546ad95fcc1906ceb01de20682bd

SHA1
2be9daf33f12425a76d011853ff89bb4cd70e4ec

SHA256
ac71ed975e8bf22eb744f273f63bbd294f6d7747e6f4e46bead8432361ccd2c1

SHA512
ae7b9260fcc02b4ad50e698f38484c29e79841e3f427e7ef3756286c22019a30f42fa49e6f41418386675d07a77efdeca27d25a8b665c3a8287857fe3d610c0c

Download Submit
memory/876-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-58-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/876-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/876-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/876-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-69-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/1456-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1468-68-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download