Analysis
-
max time kernel
11s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/10/2022, 22:55
Behavioral task
behavioral1
Sample
6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll
Resource
win7-20220812-en
General
-
Target
6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll
-
Size
133KB
-
MD5
0c4cc070573d6f909d08b6cd5d3695a3
-
SHA1
aa05eb797e2f4498f196dd258525028182d8b9d9
-
SHA256
6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2
-
SHA512
6eb75e18503bf5a61d8cc6eed0c88c430ea45ae158bf394c042693b784ce4451fe51d378b446c162ea7dbdefa719be1aea9235b39e664d527911d814004c5d41
-
SSDEEP
3072:bixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEtJO:aANBxIxh0u4TSg7vECzcu0
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000e000000013473-56.dat family_gh0strat behavioral1/files/0x000e000000013473-57.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 1552 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Oklm\Tklmnopqr.jpg rundll32.exe File created C:\Program Files (x86)\Oklm\Tklmnopqr.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1552 svchost.exe 1552 svchost.exe 1552 svchost.exe 1552 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1004 rundll32.exe Token: SeRestorePrivilege 1004 rundll32.exe Token: SeBackupPrivilege 1004 rundll32.exe Token: SeRestorePrivilege 1004 rundll32.exe Token: SeBackupPrivilege 1004 rundll32.exe Token: SeRestorePrivilege 1004 rundll32.exe Token: SeBackupPrivilege 1004 rundll32.exe Token: SeRestorePrivilege 1004 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17 PID 1452 wrote to memory of 1004 1452 rundll32.exe 17
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1552
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5f6c20ed7824be3156672a654beb1b694
SHA1eb416e5f3839b22ba6e220a7b9d48f756a737634
SHA25614b7edd5fdc7bd3520cf277d5cd418d4eb968531c7934c7a23c854586b56a227
SHA512552ffcbc58785ce0186a5edfa9fb6d0aa5de5b0fc29252776b270425f9fc7965f3959ec957f40dc1eb18f7124420cbb34d75ee7f79edea4066f28216aa48417c
-
Filesize
89KB
MD5225b2570a7f66f55d7265cb499b34f56
SHA19c29456481860fa160f4841869ab8fcb18e3c182
SHA256c344d94fe0a9b0f07e7f38acfe13eab4898005838317054615753d01c2cf1e14
SHA5129e433341e9d29aaedba59ae370f9908340367c9615a146fb8e8cc04ed01d12506014fda07985a124f0dd5d843892951ca5b274fe9833f971ff5b124d275c0800