Analysis
-
max time kernel
124s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 04:23
Behavioral task
behavioral1
Sample
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll
Resource
win7-20231129-en
10 signatures
150 seconds
General
-
Target
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll
-
Size
319KB
-
MD5
211fa8847690957dd4bf1c8cb6993d7b
-
SHA1
ba0ef4482355dc43fe8c6beb071bfbf99a8b91d5
-
SHA256
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c
-
SHA512
2e057aaf8dc2f6268caf19334fb5e3602972274e25625abd6c88bb555268eb25148e15a28eda31e8df45b4431650e53aba29fb18c6f4f4bae402eec063524434
-
SSDEEP
6144:/QGbu7dpaVdtGPLhXeDG5N9xWoCExmrxW:/47dkVEBz79xdCEx
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/memory/2884-10-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-9-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-11-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-12-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-13-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-14-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat behavioral1/memory/2884-23-0x00000000031C0000-0x0000000003349000-memory.dmp family_gh0strat -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2884 rundll32.exe 6 2884 rundll32.exe 7 2884 rundll32.exe -
resource yara_rule behavioral1/memory/2884-6-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-10-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-9-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-11-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-12-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-13-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-14-0x00000000031C0000-0x0000000003349000-memory.dmp upx behavioral1/memory/2884-23-0x00000000031C0000-0x0000000003349000-memory.dmp upx -
resource yara_rule behavioral1/memory/2884-1-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral1/memory/2884-0-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral1/memory/2884-22-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2884 rundll32.exe Token: SeIncBasePriorityPrivilege 2884 rundll32.exe Token: 33 2884 rundll32.exe Token: SeIncBasePriorityPrivilege 2884 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28 PID 2232 wrote to memory of 2884 2232 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-