Analysis
-
max time kernel
125s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 08:26
Behavioral task
behavioral1
Sample
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll
Resource
win7-20231020-en
10 signatures
150 seconds
General
-
Target
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll
-
Size
372KB
-
MD5
6920fe0bce73dcfae77ad728bda8d60c
-
SHA1
ddf16dd6efe25caececea632af2ac2e45c0b92b6
-
SHA256
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb
-
SHA512
2a76cde84f75c39b3904ea45d183176eef7157bd036171eafd652564e842298c34efb9a822716db20ee3fefb9c114f2bf5a6587c7935cb8e51a9b434d3113ef8
-
SSDEEP
6144:NEVKITzhOErFhApL5ZgP3Rkkz3LTqzjYBu79VwOJi:N3IoEUpL5Z6GC3LTqHPXwO0
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2472-14-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral1/memory/2472-13-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral1/memory/2472-12-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral1/memory/2472-16-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral1/memory/2472-17-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral1/memory/2472-27-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat -
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2472 rundll32.exe 6 2472 rundll32.exe 7 2472 rundll32.exe -
resource yara_rule behavioral1/memory/2472-9-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-14-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-13-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-12-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-16-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-17-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral1/memory/2472-27-0x0000000010000000-0x0000000010189000-memory.dmp upx -
resource yara_rule behavioral1/memory/2472-2-0x0000000074C50000-0x0000000074D10000-memory.dmp vmprotect behavioral1/memory/2472-1-0x0000000074C50000-0x0000000074D10000-memory.dmp vmprotect behavioral1/memory/2472-26-0x0000000074C50000-0x0000000074D10000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\I: rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2472 rundll32.exe Token: SeIncBasePriorityPrivilege 2472 rundll32.exe Token: 33 2472 rundll32.exe Token: SeIncBasePriorityPrivilege 2472 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28 PID 2064 wrote to memory of 2472 2064 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-