Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:32
Behavioral task
behavioral1
Sample
5d0031d84dc5de0525748330f376aa1b7b13fc23d61cf9adcbb2afb06f7e524c.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
5d0031d84dc5de0525748330f376aa1b7b13fc23d61cf9adcbb2afb06f7e524c.dll
-
Size
899KB
-
MD5
57d61bfafb385db61288079b1e9e3392
-
SHA1
988b45bc51ca800006d439e0fe87fba2c722f306
-
SHA256
5d0031d84dc5de0525748330f376aa1b7b13fc23d61cf9adcbb2afb06f7e524c
-
SHA512
0d6991671bed0525286518b5d2340320cb733155cfbc3d6a4a4d0cfd3a26d89bd6ddd4e7af2787dd8e758dd6327927399273c8c3e77c5b257928be8de6ed3379
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXC:7wqd87VC
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2216-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2216 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d0031d84dc5de0525748330f376aa1b7b13fc23d61cf9adcbb2afb06f7e524c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d0031d84dc5de0525748330f376aa1b7b13fc23d61cf9adcbb2afb06f7e524c.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2216-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB