Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 16:33
Behavioral task
behavioral1
Sample
1e2099f4cc028872eb9553c9f88cbc6b47bc5a89a79047e03915228f82270b30.dll
Resource
win7-20240419-en
windows7-x64
4 signatures
150 seconds
General
-
Target
1e2099f4cc028872eb9553c9f88cbc6b47bc5a89a79047e03915228f82270b30.dll
-
Size
50KB
-
MD5
7cf3d02eb5fade66a0994533a72dd33e
-
SHA1
28e3ab14fc25121ffd7cf70b50fccddfc18dce6c
-
SHA256
1e2099f4cc028872eb9553c9f88cbc6b47bc5a89a79047e03915228f82270b30
-
SHA512
b4a6122fba688ee5218439b8371ed323a79e078f8787d4a02aad3df46b984d23adb23aea8d6669cee405d27ea4e467001d1e6e30a219b703390205268c19abf6
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5SJYH:W5ReWjTrW9rNPgYocJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2292 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2292 2256 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e2099f4cc028872eb9553c9f88cbc6b47bc5a89a79047e03915228f82270b30.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e2099f4cc028872eb9553c9f88cbc6b47bc5a89a79047e03915228f82270b30.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2292
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB