Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 04:35
Behavioral task
behavioral1
Sample
d667346d9f9a8eb34ca58b28e597247ad0b934d32fb9e33d239cdc0c95f2373b.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
d667346d9f9a8eb34ca58b28e597247ad0b934d32fb9e33d239cdc0c95f2373b.dll
-
Size
51KB
-
MD5
d067324a52e666c3dcb94a1be643b6ab
-
SHA1
b69cbb2693364bc7e1205f6810a6508ceb22577e
-
SHA256
d667346d9f9a8eb34ca58b28e597247ad0b934d32fb9e33d239cdc0c95f2373b
-
SHA512
21b3f2e62865164233424769f42c108092df0f553b86021a7392d1d0963212ac2b468bf4f4b5219f595a828d1e65377b869aa515e58769fa953eb03e057ec13f
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frCoLHJYH5:1dWubF3n9S91BF3fGojJYH5
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3252-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 3252 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2736 wrote to memory of 3252 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 3252 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 3252 2736 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d667346d9f9a8eb34ca58b28e597247ad0b934d32fb9e33d239cdc0c95f2373b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d667346d9f9a8eb34ca58b28e597247ad0b934d32fb9e33d239cdc0c95f2373b.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3252-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB