Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 02:44
Behavioral task
behavioral1
Sample
b64fc47abc6b54d83e8bf471574a56ed.dll
Resource
win7-20240221-en
windows7-x64
General
-
Target
b64fc47abc6b54d83e8bf471574a56ed.dll
-
Size
138KB
-
MD5
b64fc47abc6b54d83e8bf471574a56ed
-
SHA1
c1b5991b8683fff43de3e08762a1af643db63977
-
SHA256
e666c4a8156cfaeae629746714e32d22a77669fd1ea0d37fc2220ce168bca41a
-
SHA512
5f7349517be3b53f38236fcde2f08c7e14d566e6c53116bfd1406ded66d98040c5d9584306f12029d0e2a3d6ebf31b1d45f5230bd29a08b6b82ecec7b1abc24e
-
SSDEEP
3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwl5iGHTqovq:JJVGpxx9b3wZuwl4GHTqo
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000d0000000224e9-3.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 4600 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Cwhg\Mwqudkwyj.bmp rundll32.exe File created C:\Program Files (x86)\Cwhg\Mwqudkwyj.bmp rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3224 rundll32.exe Token: SeRestorePrivilege 3224 rundll32.exe Token: SeBackupPrivilege 3224 rundll32.exe Token: SeRestorePrivilege 3224 rundll32.exe Token: SeBackupPrivilege 3224 rundll32.exe Token: SeRestorePrivilege 3224 rundll32.exe Token: SeBackupPrivilege 3224 rundll32.exe Token: SeRestorePrivilege 3224 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3224 1584 rundll32.exe 90 PID 1584 wrote to memory of 3224 1584 rundll32.exe 90 PID 1584 wrote to memory of 3224 1584 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b64fc47abc6b54d83e8bf471574a56ed.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b64fc47abc6b54d83e8bf471574a56ed.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4600
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.5MB
MD5353382d565bf9c576b61e2f0d5811f75
SHA1fd3a95c413fc4f76da7ee8d95d008ec6256e5049
SHA2566d0ac1331360d785394301c39951b694f27d39f194b0b1442847993348b40e05
SHA5129453b9811fd3ce53d015e554956a394307f520fdf1e4326e49dedb4418a38ecfd16d51c1871a9cbbf6e2def3850e1d9a4fb3724b798ada6af51492f0118991df
