Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 21:35
Behavioral task
behavioral1
Sample
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll
Resource
win7-20230712-en
14 signatures
150 seconds
General
-
Target
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll
-
Size
432KB
-
MD5
1ec07a06295fbd106998f68f81035292
-
SHA1
9344788b70d9e4be55aefcf7fc031834463582ef
-
SHA256
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae
-
SHA512
922bff3a99501c286450982eab6b5375c9b4833c8090f661a1bb93eaa3a6bc6ac60589a2d91bc11e1422c41ef52629502af3980cc02cd28dcaf567fe2d90024f
-
SSDEEP
12288:kov9YJjrV+pJR6cuXFqaYCL9yKASIAcl3hkWWlyvQO:B+JHVyR6xXky0KASbcdh6yvQO
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1240-11-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/1240-12-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/memory/1240-11-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/1240-12-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2284 created 624 2284 rundll32.exe 49 -
resource yara_rule behavioral2/memory/2284-0-0x0000000010000000-0x0000000010089000-memory.dmp upx behavioral2/memory/1240-1-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/1240-3-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/1240-2-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/1240-7-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/1240-8-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/1240-9-0x0000000000400000-0x0000000000543000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\V: svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 1240 2284 rundll32.exe 83 -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2284 rundll32.exe 2284 rundll32.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe 1240 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2284 rundll32.exe Token: 33 1240 svchost.exe Token: SeIncBasePriorityPrivilege 1240 svchost.exe Token: 33 1240 svchost.exe Token: SeIncBasePriorityPrivilege 1240 svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3348 wrote to memory of 2284 3348 rundll32.exe 82 PID 3348 wrote to memory of 2284 3348 rundll32.exe 82 PID 3348 wrote to memory of 2284 3348 rundll32.exe 82 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83 PID 2284 wrote to memory of 1240 2284 rundll32.exe 83
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
-