Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 08:18
Behavioral task
behavioral1
Sample
9610f1606a6da14958ea03252283629f985283caf88717c95f442b71a86d4407.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
9610f1606a6da14958ea03252283629f985283caf88717c95f442b71a86d4407.dll
-
Size
51KB
-
MD5
9180b4b978b74eb7d41f906bb721b968
-
SHA1
e57b964de4388aaee8159766c0a6db63938c9f92
-
SHA256
9610f1606a6da14958ea03252283629f985283caf88717c95f442b71a86d4407
-
SHA512
7160c6f1d70b4a6a0fcb4e06fb2d86e7ab554616913d9f9af9fe466df5ffaaed09b22a02309b33d9583ba5dd0a30f3bef9840b30116844fea9e57d499084e0ee
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL4JYH5:1dWubF3n9S91BF3fbosJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2408 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2408 2148 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9610f1606a6da14958ea03252283629f985283caf88717c95f442b71a86d4407.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9610f1606a6da14958ea03252283629f985283caf88717c95f442b71a86d4407.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2408-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB