gh0strat | a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d

General

Target

a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
Size

783KB
MD5

735f0f706afd0913eff44095eea10e31
SHA1

5ef1b959ccaf5364663d1056b87fe1ebf85fea51
SHA256

a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d
SHA512

32c930576362d68b46b4ab2a5392f63183425b49a8145217eebc19fae70dbbe30d7c1f07abc74b02ed97b8af928de3f299c8fecad12300420aa62e09372345a5
SSDEEP

12288:jfoZQG1PyUwGh3Q9xRQpR3PvGLxe0DMwRoZQp1PyUwGhxYV:Tod1twGwkR3PIx7DBoe1twGC

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1612-55-0x0000000000400000-0x00000000004C8000-memory.dmp	family_gh0strat
behavioral1/memory/1612-62-0x0000000000400000-0x00000000004C8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Vrckwr\Parameters\ServiceDll = "C:\\Windows\\system32\\Vrckwrex.dll"	regedit.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Vrckwrex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File created	C:\Windows\SysWOW64\syslog.dat	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File opened for modification	C:\Windows\SysWOW64\Vrckwrex.dll_lang.ini	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File created	C:\Windows\SysWOW64\dllcache\Vrckwrex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File created	C:\Windows\SysWOW64\Vrckwrex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 3 IoCs

pid	Process
2020	regedit.exe
1704	regedit.exe
1528	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 85899345940	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
Token: SeDebugPrivilege	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 2020	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	26
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1704	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	27
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28
PID 1612 wrote to memory of 1528	1612	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	28

C:\Users\Admin\AppData\Local\Temp\a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
"C:\Users\Admin\AppData\Local\Temp\a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /e "C:\Users\Admin\AppData\Local\Temp\7119246_lang.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
  2⤵
  - Runs .reg file with regedit
  PID:2020
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7119246_lang.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1704
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7131960_lang.reg"
  2⤵
  - Sets DLL path for service in the registry
  - Runs .reg file with regedit
  PID:1528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7119246_lang.reg

Filesize
13KB

MD5
4586eade6d621cf64c3d6b6ca6a66f2b

SHA1
d29aed1f647f35a5c8d1025b7b36369e8e65745e

SHA256
12c06f8115c51525cdb4e04fa187d5c4f7244515a72b45b8b6c96bc63e97528f

SHA512
86c988103180b6057f580f6d46515b262fc4530c1fe5b3cfba0bcdb6b12e2bc9495334cc03a02f30b884608bd1ae6aee17326613f1ff1fe8cac84a0bded267d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7131960_lang.reg

Filesize
680B

MD5
ceb11bd63f2ed02a4905149ffb2ebc10

SHA1
e10bd6f60ca13caaa13193742fd9deaa361ea788

SHA256
a3ff03402b96acec05ef49348147e7f847f466c9c4f73574c341de9fa60f8ec3

SHA512
1be7ba7c4d3a805bf653722410efa44fd350a31083a98ae01494adbb876b3c02b02e2b4f69634adc90c2ff176ad10cb76541335581f5ee4b88c1bdce47e87f31

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1612-56-0x00000000009A0000-0x0000000000A68000-memory.dmp

Filesize
800KB

Download
memory/1612-62-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1612-66-0x00000000009A0000-0x0000000000A68000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing