Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 20:57
Behavioral task
behavioral1
Sample
5455595d598c012ef4f1c780380e9da5be6aac3391fc160e601b2313b3a3618e.dll
Resource
win7-20220812-en
windows7-x64
General
-
Target
5455595d598c012ef4f1c780380e9da5be6aac3391fc160e601b2313b3a3618e.dll
-
Size
101KB
-
MD5
ce984afa468ecf45378f560032f2fe30
-
SHA1
8ac533d69eee761236fe562af4ddead1f8cbaed1
-
SHA256
5455595d598c012ef4f1c780380e9da5be6aac3391fc160e601b2313b3a3618e
-
SHA512
526cf0ebdc96afffe9b3b30a8adc6b013c8bc011aa2d9ee5f93b25be4a2bd5da2af273849815f62f4153bf792f76730036d22b31da3be70a8317a319b3e667d7
-
SSDEEP
3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwa5iG:JJVGpxx9b3wZuwa4G
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00180000000054ab-56.dat family_gh0strat -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\123456.jpg rundll32.exe File created C:\Windows\123456.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe 1980 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1448 rundll32.exe Token: SeRestorePrivilege 1448 rundll32.exe Token: SeBackupPrivilege 1448 rundll32.exe Token: SeRestorePrivilege 1448 rundll32.exe Token: SeBackupPrivilege 1448 rundll32.exe Token: SeRestorePrivilege 1448 rundll32.exe Token: SeBackupPrivilege 1448 rundll32.exe Token: SeRestorePrivilege 1448 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28 PID 1976 wrote to memory of 1448 1976 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5455595d598c012ef4f1c780380e9da5be6aac3391fc160e601b2313b3a3618e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5455595d598c012ef4f1c780380e9da5be6aac3391fc160e601b2313b3a3618e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5eda1a98b5f923dcddb0cef2cd68e727b
SHA14dd844389c6f7ed3c8439fa5c0bed0dc55bc8513
SHA25649f334dca9bd56e41148c6d0e241f1e7e14f5c37b1ff21fd66e367781c206728
SHA51254d3253e0dcdc212348c8964c75eeb8483ad6e9a8bd406be6c3cee6a4392ac82b90f196b144f44d43e27d70d1c816886c3b219316a985ad2e3502ae90992462e
