Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 04:23
Behavioral task
behavioral1
Sample
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll
Resource
win7-20231129-en
10 signatures
150 seconds
General
-
Target
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll
-
Size
319KB
-
MD5
211fa8847690957dd4bf1c8cb6993d7b
-
SHA1
ba0ef4482355dc43fe8c6beb071bfbf99a8b91d5
-
SHA256
1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c
-
SHA512
2e057aaf8dc2f6268caf19334fb5e3602972274e25625abd6c88bb555268eb25148e15a28eda31e8df45b4431650e53aba29fb18c6f4f4bae402eec063524434
-
SSDEEP
6144:/QGbu7dpaVdtGPLhXeDG5N9xWoCExmrxW:/47dkVEBz79xdCEx
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/memory/4072-9-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat behavioral2/memory/4072-10-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat behavioral2/memory/4072-11-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat behavioral2/memory/4072-12-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat behavioral2/memory/4072-14-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat behavioral2/memory/4072-23-0x0000000003800000-0x0000000003989000-memory.dmp family_gh0strat -
Blocklisted process makes network request 3 IoCs
flow pid Process 9 4072 rundll32.exe 22 4072 rundll32.exe 35 4072 rundll32.exe -
resource yara_rule behavioral2/memory/4072-6-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-9-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-10-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-11-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-12-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-14-0x0000000003800000-0x0000000003989000-memory.dmp upx behavioral2/memory/4072-23-0x0000000003800000-0x0000000003989000-memory.dmp upx -
resource yara_rule behavioral2/memory/4072-0-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral2/memory/4072-1-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral2/memory/4072-22-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4072 rundll32.exe Token: SeIncBasePriorityPrivilege 4072 rundll32.exe Token: 33 4072 rundll32.exe Token: SeIncBasePriorityPrivilege 4072 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4072 4748 rundll32.exe 85 PID 4748 wrote to memory of 4072 4748 rundll32.exe 85 PID 4748 wrote to memory of 4072 4748 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a0340bac8f79df2ee140124cdcdace4852812a46666403cf7f5bb8ee3bdee1c.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-