Overview

overview

10

Static

static

3

829cf4d4d0...JC.dll

windows7-x64

10

829cf4d4d0...JC.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll

  • Size

    137KB

  • MD5

    829cf4d4d062b1fda42b43b4c00eab30

  • SHA1

    2d643c9cd1a30bfeb1b9d4642c2cda695dd15251

  • SHA256

    edd2d40dcf22ccda50923974cd012c5f4347f97193f80ba7703e00ec68182bde

  • SHA512

    c73525c66abc8c4d2276c9204185cb2ab697b2f3a5aeb46441b84eae0c480c27c458d085df95633c7a6294006d4eb710e8cb68ce7ffb13e1132cd34449b20c61

  • SSDEEP

    3072:DR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu+:O25GgFny61mra8

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Registers new Print Monitor 2 TTPs 2 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll,#1
      2⤵
      • Registers new Print Monitor
      • Sets service image path in registry
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 232
        3⤵
        • Program crash
        PID:2328
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
    1⤵
      PID:2156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2360-5-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2360-4-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2360-6-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2360-7-0x0000000043E50000-0x0000000043E77000-memory.dmp

      Filesize

      156KB

      Download