Analysis
-
max time kernel
160s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:33
Behavioral task
behavioral1
Sample
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll
Resource
win7-20221111-en
General
-
Target
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll
-
Size
105KB
-
MD5
f130b2a825263b2766f3c5108270ab0d
-
SHA1
3de865d14cebf181e3ab9cda3c8929dc7e447454
-
SHA256
ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1
-
SHA512
deb0a8e0e44008c9f194140114bdd5ce4f009d1188c623a7b4cc4ae9caf33db05b0da8043addb54bd3803f9712b1d020fa64cfae7b2383e894625b4cf6e13782
-
SSDEEP
3072:BvBKS+26Y8zoz4EfZRzUKR/F4pEIbybZuwu1Uq:N8tA1fYmFEX2ZuwuC
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule \??\c:\windows\filename.jpg family_gh0strat C:\Windows\FileName.jpg family_gh0strat -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1136 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\FileName.jpg rundll32.exe File opened for modification C:\Windows\FileName.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeBackupPrivilege 3380 rundll32.exe Token: SeRestorePrivilege 3380 rundll32.exe Token: SeBackupPrivilege 3380 rundll32.exe Token: SeRestorePrivilege 3380 rundll32.exe Token: SeBackupPrivilege 3380 rundll32.exe Token: SeRestorePrivilege 3380 rundll32.exe Token: SeBackupPrivilege 3380 rundll32.exe Token: SeRestorePrivilege 3380 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1660 wrote to memory of 3380 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 3380 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 3380 1660 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\FileName.jpgFilesize
6.4MB
MD54f1d84406e453d2fe20b78de484941a3
SHA1db8086d290e80b3fec82d12cfe7603e8645912aa
SHA2562c0c041e4b6dc811242b91ffa3dc77719ba6f3f68c3152340faa43a448a79e25
SHA512f43ce5a9ef083a17db03e0caad7ad0de9d1997b8cbb3698b4b76c0faba6c9729cdd001667187a394e5e4f93fb7096d0a4d4297c871d4f1528972acccde54c5a2
-
\??\c:\windows\filename.jpgFilesize
6.4MB
MD54f1d84406e453d2fe20b78de484941a3
SHA1db8086d290e80b3fec82d12cfe7603e8645912aa
SHA2562c0c041e4b6dc811242b91ffa3dc77719ba6f3f68c3152340faa43a448a79e25
SHA512f43ce5a9ef083a17db03e0caad7ad0de9d1997b8cbb3698b4b76c0faba6c9729cdd001667187a394e5e4f93fb7096d0a4d4297c871d4f1528972acccde54c5a2
-
memory/3380-132-0x0000000000000000-mapping.dmp