Overview

overview

10

Static

static

10

gamft.dll

windows7-x64

8

gamft.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2023 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gamft.dll

  • Size

    378KB

  • MD5

    82d4025b84cf569ec82d21918d641540

  • SHA1

    62f5a16d1ef20064dd78f5d934c84d474aca8bbe

  • SHA256

    c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c

  • SHA512

    4b310bc91a10b02b659c6d08b42578b85e42697cbfd41823d84443b559ad6efb46952ffda9ac322933ac0cc66d13ce9698e824084e53093d05cfe71fd6d59df5

  • SSDEEP

    6144:jstnb/4misK1vTrwKrdumJ9QbFQUU9YNj/GW9wz29nH9laVgm1GChaIdVNoxB6MT:A5/jisK1vQKrduY+FQ39YNj/H2QnW3w1

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 21 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\gamft.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads