Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 08:26
Behavioral task
behavioral1
Sample
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll
Resource
win7-20231020-en
10 signatures
150 seconds
General
-
Target
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll
-
Size
372KB
-
MD5
6920fe0bce73dcfae77ad728bda8d60c
-
SHA1
ddf16dd6efe25caececea632af2ac2e45c0b92b6
-
SHA256
5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb
-
SHA512
2a76cde84f75c39b3904ea45d183176eef7157bd036171eafd652564e842298c34efb9a822716db20ee3fefb9c114f2bf5a6587c7935cb8e51a9b434d3113ef8
-
SSDEEP
6144:NEVKITzhOErFhApL5ZgP3Rkkz3LTqzjYBu79VwOJi:N3IoEUpL5Z6GC3LTqHPXwO0
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral2/memory/1624-12-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-13-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-11-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-15-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-14-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-10-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat behavioral2/memory/1624-24-0x0000000010000000-0x0000000010189000-memory.dmp family_gh0strat -
Blocklisted process makes network request 3 IoCs
flow pid Process 19 1624 rundll32.exe 33 1624 rundll32.exe 67 1624 rundll32.exe -
resource yara_rule behavioral2/memory/1624-7-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-12-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-13-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-11-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-15-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-14-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-10-0x0000000010000000-0x0000000010189000-memory.dmp upx behavioral2/memory/1624-24-0x0000000010000000-0x0000000010189000-memory.dmp upx -
resource yara_rule behavioral2/memory/1624-0-0x00000000751F0000-0x00000000752B0000-memory.dmp vmprotect behavioral2/memory/1624-1-0x00000000751F0000-0x00000000752B0000-memory.dmp vmprotect behavioral2/memory/1624-23-0x00000000751F0000-0x00000000752B0000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1624 rundll32.exe Token: SeIncBasePriorityPrivilege 1624 rundll32.exe Token: 33 1624 rundll32.exe Token: SeIncBasePriorityPrivilege 1624 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1624 1228 rundll32.exe 86 PID 1228 wrote to memory of 1624 1228 rundll32.exe 86 PID 1228 wrote to memory of 1624 1228 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f16db7cbc48b5968c4570029dca662979ffb0caa09052a96a1b8684c43d45bb.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-