Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 21:58
Behavioral task
behavioral1
Sample
82c25009962b337038c88eee344ab6722d39a13142ea58f118a8d7e9db2e0a84.dll
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
General
-
Target
82c25009962b337038c88eee344ab6722d39a13142ea58f118a8d7e9db2e0a84.dll
-
Size
731KB
-
MD5
27f2c8739eeeeaec8325a87407ef8445
-
SHA1
bd6b05c67f15e1e0f89a737db1400f7e58f28db0
-
SHA256
82c25009962b337038c88eee344ab6722d39a13142ea58f118a8d7e9db2e0a84
-
SHA512
b05a44b684a6e7185a631f9fa85b432a9b87caae063e5ef96952f35147b0d17b00a05eafd1fd5e06e5dbc5a327edf200e0bc098595c34bec2d85e9e6f319dd0d
-
SSDEEP
12288:okS6u/x4ANYNUFLzTFoIiTtsdrwNIEuxAvkdtd1nwHw6rE7d3AYht9Rz:oN/31FLvFoIiJsdrOIRWvTpEZQ6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2040-56-0x0000000002210000-0x00000000023B6000-memory.dmp purplefox_rootkit behavioral1/memory/2040-62-0x0000000010000000-0x000000001017A000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-56-0x0000000002210000-0x00000000023B6000-memory.dmp family_gh0strat behavioral1/memory/2040-62-0x0000000010000000-0x000000001017A000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral1/memory/2040-62-0x0000000010000000-0x000000001017A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÏÔ¿¨Çý¶¯ = "C:\\Windows\\SysWOW64\\rundll32.exe" rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2040 1228 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82c25009962b337038c88eee344ab6722d39a13142ea58f118a8d7e9db2e0a84.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82c25009962b337038c88eee344ab6722d39a13142ea58f118a8d7e9db2e0a84.dll,#12⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-54-0x0000000000000000-mapping.dmp
-
memory/2040-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/2040-56-0x0000000002210000-0x00000000023B6000-memory.dmpFilesize
1.6MB
-
memory/2040-62-0x0000000010000000-0x000000001017A000-memory.dmpFilesize
1.5MB