Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 04:21
Behavioral task
behavioral1
Sample
e63e3e252942e727a14c9b6feabd797a3e4352fa13f0dac80688ff6f4ab6e4b8.dll
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
e63e3e252942e727a14c9b6feabd797a3e4352fa13f0dac80688ff6f4ab6e4b8.dll
-
Size
51KB
-
MD5
263353643eb95f6f9fa4741da9a702fe
-
SHA1
8261f6631c97e9156654b7f0f9af7450336bf11e
-
SHA256
e63e3e252942e727a14c9b6feabd797a3e4352fa13f0dac80688ff6f4ab6e4b8
-
SHA512
f3e239d45dbe1701a2ee1476aa76f81193b6e281f8f0575ece643eebccb2cd08a719488ac3019b0b2a2cbb63487f64b31521a4a6b27ef8192c8de404cd8a84fb
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLaJYH5:1dWubF3n9S91BF3fbo+JYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/744-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 744 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 100 wrote to memory of 744 100 rundll32.exe rundll32.exe PID 100 wrote to memory of 744 100 rundll32.exe rundll32.exe PID 100 wrote to memory of 744 100 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e63e3e252942e727a14c9b6feabd797a3e4352fa13f0dac80688ff6f4ab6e4b8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e63e3e252942e727a14c9b6feabd797a3e4352fa13f0dac80688ff6f4ab6e4b8.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB