gh0strat | bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Size

2.3MB
MD5

0d004b7cca6b78d29c628532127754e9
SHA1

3fdb73a40f075e33aaf18008b35be817c10b9977
SHA256

bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb
SHA512

450fcd7863ca9ea6c02ed6181a547a32bb08124079c7b2dccd62ca71bf564e22d7ed0fd23f4c77bbd34b462d027fff452a9e1dc11cc4b0a146d388207b7f88d7
SSDEEP

49152:QAR6pHImCXi45lSevpEie7zoQY49aXZmMAXh4plixja8dTeJPlXmB+giUS:QwI7Wl5Yei1ox49unmJZa8d6JPlXDgiz

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3088-15-0x0000000010000000-0x000000001018B000-memory.dmp	family_gh0strat
behavioral2/memory/3088-25-0x0000000000400000-0x000000000063C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2924	sg.tmp
3088	wininit.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wininit.exe
File opened (read-only)	\??\E:	wininit.exe
File opened (read-only)	\??\I:	wininit.exe
File opened (read-only)	\??\K:	wininit.exe
File opened (read-only)	\??\N:	wininit.exe
File opened (read-only)	\??\S:	wininit.exe
File opened (read-only)	\??\H:	wininit.exe
File opened (read-only)	\??\R:	wininit.exe
File opened (read-only)	\??\T:	wininit.exe
File opened (read-only)	\??\Y:	wininit.exe
File opened (read-only)	\??\P:	wininit.exe
File opened (read-only)	\??\Q:	wininit.exe
File opened (read-only)	\??\U:	wininit.exe
File opened (read-only)	\??\B:	wininit.exe
File opened (read-only)	\??\J:	wininit.exe
File opened (read-only)	\??\L:	wininit.exe
File opened (read-only)	\??\M:	wininit.exe
File opened (read-only)	\??\O:	wininit.exe
File opened (read-only)	\??\W:	wininit.exe
File opened (read-only)	\??\G:	wininit.exe
File opened (read-only)	\??\X:	wininit.exe
File opened (read-only)	\??\Z:	wininit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wininit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wininit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe
3088	wininit.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeRestorePrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: 33	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeIncBasePriorityPrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: 33	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeIncBasePriorityPrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: 33	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeIncBasePriorityPrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeRestorePrivilege	2924	sg.tmp
Token: 35	2924	sg.tmp
Token: SeSecurityPrivilege	2924	sg.tmp
Token: SeSecurityPrivilege	2924	sg.tmp
Token: 33	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
Token: SeIncBasePriorityPrivilege	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4760	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	82
PID 372 wrote to memory of 4760	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	82
PID 372 wrote to memory of 2924	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	84
PID 372 wrote to memory of 2924	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	84
PID 372 wrote to memory of 2924	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	84
PID 372 wrote to memory of 3088	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	86
PID 372 wrote to memory of 3088	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	86
PID 372 wrote to memory of 3088	372	bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe	86

C:\Users\Admin\AppData\Local\Temp\bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe
"C:\Users\Admin\AppData\Local\Temp\bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\~3315722393058833224~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\bfe098da37f3cc3ef08e7cefc2b000a1043ff2b1819cc9d1771bc628f5e98fbb.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~2697974923541205727"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\~2697974923541205727\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\~2697974923541205727\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2697974923541205727\wininit.exe

Filesize
1.0MB

MD5
9c721b69789898a419d8186f34c87bb7

SHA1
54d92bc23c738a23319d2dd4ed7f81af54dc5791

SHA256
3b90af072c31d14ef08f4b18faa18841aee45a21e0c6186369ad7a0faf3d98c5

SHA512
646cc1e1f21363941d85a4935bb1e58d1f729ca9f67f180c35f638cdaecdc27aa17e5b7c693ba0ee481fed125df89f8620c37f70ac16d32c3ca6fb8963b4f0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2697974923541205727\wininit.exe

Filesize
1.0MB

MD5
9c721b69789898a419d8186f34c87bb7

SHA1
54d92bc23c738a23319d2dd4ed7f81af54dc5791

SHA256
3b90af072c31d14ef08f4b18faa18841aee45a21e0c6186369ad7a0faf3d98c5

SHA512
646cc1e1f21363941d85a4935bb1e58d1f729ca9f67f180c35f638cdaecdc27aa17e5b7c693ba0ee481fed125df89f8620c37f70ac16d32c3ca6fb8963b4f0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3315722393058833224~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/3088-11-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3088-13-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3088-14-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/3088-15-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download
memory/3088-25-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download