Analysis
-
max time kernel
151s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:33
Behavioral task
behavioral1
Sample
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll
Resource
win7-20221111-en
General
-
Target
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll
-
Size
105KB
-
MD5
f130b2a825263b2766f3c5108270ab0d
-
SHA1
3de865d14cebf181e3ab9cda3c8929dc7e447454
-
SHA256
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1
-
SHA512
deb0a8e0e44008c9f194140114bdd5ce4f009d1188c623a7b4cc4ae9caf33db05b0da8043addb54bd3803f9712b1d020fa64cfae7b2383e894625b4cf6e13782
-
SSDEEP
3072:BvBKS+26Y8zoz4EfZRzUKR/F4pEIbybZuwu1Uq:N8tA1fYmFEX2ZuwuC
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule \??\c:\windows\filename.jpg family_gh0strat -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\FileName.jpg rundll32.exe File opened for modification C:\Windows\FileName.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
svchost.exepid process 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeBackupPrivilege 2040 rundll32.exe Token: SeRestorePrivilege 2040 rundll32.exe Token: SeBackupPrivilege 2040 rundll32.exe Token: SeRestorePrivilege 2040 rundll32.exe Token: SeBackupPrivilege 2040 rundll32.exe Token: SeRestorePrivilege 2040 rundll32.exe Token: SeBackupPrivilege 2040 rundll32.exe Token: SeRestorePrivilege 2040 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 2040 1788 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\filename.jpgFilesize
8.6MB
MD56f85f055fdaf65ffd999a4c2312f692b
SHA1ad5284daeea50ff5b3d9bb57f07f9d8d9940fc51
SHA256a12c2ef8b4502d0e3de44d16364eac703d06cbd08d00a1611322a89f0e7421ba
SHA512756b75e5f40cfaf7fe06f50565e00c4f951ebee075bb024bafeeaeccffecb2d13e91d49673d5bbc9849ff88b42e2a05511ee6cb3c319fde65a05871a0a0ca24c
-
memory/2040-54-0x0000000000000000-mapping.dmp
-
memory/2040-55-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB