Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 18:21
Behavioral task
behavioral1
Sample
196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
General
-
Target
196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll
-
Size
50KB
-
MD5
9a37b502e15360b97ad6334fea67dfba
-
SHA1
55ce73bac6481387827e67fbe3741edd81d98087
-
SHA256
196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98
-
SHA512
b8a71f05fd926ff845719c9337e99148ee9f17913eb61a137329a79963dd41b2cd9539e620c0b296ef508b7aefd8227aec7289f993d8b5622371cf267e1b6752
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5vJYH:W5ReWjTrW9rNPgYoNJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2864 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2864 2168 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2864-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB