gh0strat | a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d

General

Target

a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
Size

783KB
MD5

735f0f706afd0913eff44095eea10e31
SHA1

5ef1b959ccaf5364663d1056b87fe1ebf85fea51
SHA256

a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d
SHA512

32c930576362d68b46b4ab2a5392f63183425b49a8145217eebc19fae70dbbe30d7c1f07abc74b02ed97b8af928de3f299c8fecad12300420aa62e09372345a5
SSDEEP

12288:jfoZQG1PyUwGh3Q9xRQpR3PvGLxe0DMwRoZQp1PyUwGhxYV:Tod1twGwkR3PIx7DBoe1twGC

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3540-132-0x0000000000400000-0x00000000004C8000-memory.dmp	family_gh0strat
behavioral2/memory/3540-138-0x0000000000400000-0x00000000004C8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Qmfrmy\Parameters\ServiceDll = "C:\\Windows\\system32\\Qmfrmyex.dll"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\Qmfrmyex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File created	C:\Windows\SysWOW64\Qmfrmyex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File opened for modification	C:\Windows\SysWOW64\Qmfrmyex.dll	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File created	C:\Windows\SysWOW64\syslog.dat	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
File opened for modification	C:\Windows\SysWOW64\Qmfrmyex.dll_lang.ini	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 3 IoCs

pid	Process
2296	regedit.exe
2448	regedit.exe
4128	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 85899345940	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
Token: SeDebugPrivilege	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2296	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	86
PID 3540 wrote to memory of 2296	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	86
PID 3540 wrote to memory of 2296	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	86
PID 3540 wrote to memory of 2448	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	87
PID 3540 wrote to memory of 2448	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	87
PID 3540 wrote to memory of 2448	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	87
PID 3540 wrote to memory of 4128	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	88
PID 3540 wrote to memory of 4128	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	88
PID 3540 wrote to memory of 4128	3540	a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe	88

C:\Users\Admin\AppData\Local\Temp\a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe
"C:\Users\Admin\AppData\Local\Temp\a46fc273226d0ef8cc8cd79ff08bd7cf5bb43f5d584cc42c197f0cb49bbca17d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /e "C:\Users\Admin\AppData\Local\Temp\240618781_lang.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
  2⤵
  - Runs .reg file with regedit
  PID:2296
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\240618781_lang.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2448
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\240636218_lang.reg"
  2⤵
  - Sets DLL path for service in the registry
  - Runs .reg file with regedit
  PID:4128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240618781_lang.reg

Filesize
21KB

MD5
cb37f49adc2d165c75ba26b4842bd3f1

SHA1
cdc9decd985ed1ecf5cf4cc85e8783f241ca2ebb

SHA256
16200162ca0216b44fd2d3cb584911df090e56c0ea4d05039a57e75a87108e08

SHA512
0bfe402ae82791ba26f5f668dd78f27bfe367335b7372e6c2545e8e067f28b309f62cd6ac289048c1af65f5faedd2eafb9a6deec43fad1ba9e235169f2348275

Download Submit
C:\Users\Admin\AppData\Local\Temp\240636218_lang.reg

Filesize
680B

MD5
fe607ebe278f02fb3635f553f7a52bfa

SHA1
222668b35d24119a6a04035ccfd6d9218cac2830

SHA256
c4d6f4198542bd39c53d8e3baac1497d8277d4d49742e707635009f350a5a5fb

SHA512
0546056f69fdf5d00007e6264e9510aecbcf206b8e7f303c303d8a9fddd9a232013b99893c7ca018c16796cf29f7351e2a047c8c9a8ce0f15972957d72ce7ed4

Download Submit
memory/3540-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3540-138-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing