Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:23
Static task
static1
Behavioral task
behavioral1
Sample
10a6f27bfe7df6468b513c699e340ce653d57780122281936f81a0de3e908a8b.dll
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
10a6f27bfe7df6468b513c699e340ce653d57780122281936f81a0de3e908a8b.dll
-
Size
1.4MB
-
MD5
c09967bc3cf34135daa7d1b03f18f19c
-
SHA1
207cc7b44ccb8714117ff5aa093d72c688124514
-
SHA256
10a6f27bfe7df6468b513c699e340ce653d57780122281936f81a0de3e908a8b
-
SHA512
7d83027ba35833270a418342892a720d7701ea7ef8fc8d114994d1226aea0ee069ed3949796034fc7bbd410102da598dbe9249b859627b707cc3613ca63fed51
-
SSDEEP
12288:CKY/1o26kw6BEVNsa4gOYKikqiCUDqgsX+QOpda8RUTMfgVSl54DeSWKVJLlqX7l:36BA5+J/aQgVSlarWMWieUU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/488-134-0x0000000002E00000-0x0000000002FA6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/488-134-0x0000000002E00000-0x0000000002FA6000-memory.dmp family_gh0strat -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 488 rundll32.exe 58 488 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Éù¿¨Çý¶¯ = "C:\\Windows\\SysWOW64\\rundll32.exe" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4560 wrote to memory of 488 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 488 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 488 4560 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10a6f27bfe7df6468b513c699e340ce653d57780122281936f81a0de3e908a8b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10a6f27bfe7df6468b513c699e340ce653d57780122281936f81a0de3e908a8b.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application