Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 19:45
Static task
static1
Behavioral task
behavioral1
Sample
24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea.dll
Resource
win10v2004-20240426-en
General
-
Target
24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea.dll
-
Size
137KB
-
MD5
54242b49850eaa3361c1b62f569670c6
-
SHA1
628d307897f84a7e984af60416191f9fc70d8066
-
SHA256
24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea
-
SHA512
17353222b58a32e6b934f8afb38dcf745fd8ea7259bad5522e47d02770c30114d6b33c4d9b7210073004774092d41401733290fb85fcb77843aedb8f7e5426c9
-
SSDEEP
3072:5R02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuE:U25GgFny61mraW
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2104-4-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat behavioral2/memory/2104-9-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat behavioral2/memory/2104-32-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 2104 rundll32.exe -
Registers new Print Monitor 2 TTPs 16 IoCs
Processes:
rundll32.exeSpoolsv.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor rundll32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP Spoolsv.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll" rundll32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports Spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll" svchost.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe" svchost.exe -
ACProtect 1.3x - 1.4x DLL software 15 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral2/memory/2104-4-0x0000000010000000-0x000000001001C000-memory.dmp acprotect behavioral2/memory/2104-14-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2104-12-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2104-13-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2104-11-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2104-5-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2104-9-0x0000000010000000-0x000000001001C000-memory.dmp acprotect behavioral2/memory/2104-16-0x0000000002EF0000-0x0000000002F0D000-memory.dmp acprotect behavioral2/memory/2000-30-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2000-29-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2000-27-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2000-25-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2000-24-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2000-28-0x0000000000BD0000-0x0000000000BED000-memory.dmp acprotect behavioral2/memory/2104-32-0x0000000010000000-0x000000001001C000-memory.dmp acprotect -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exerundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\scsimon.dll svchost.exe File created C:\Windows\SysWOW64\scsimon.dll svchost.exe File opened for modification C:\Windows\SysWOW64\com\comb.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\com\comb.dll svchost.exe File opened for modification C:\Windows\SysWOW64\Miscson.dll svchost.exe File created C:\Windows\SysWOW64\Miscson.dll svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2104 set thread context of 2000 2104 rundll32.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\AppPatch\ComBack.Dll rundll32.exe File created C:\Windows\AppPatch\ComBack.Dll rundll32.exe File opened for modification C:\Windows\AppPatch\AcSvcst.dll rundll32.exe File created C:\Windows\AppPatch\AcSvcst.dll rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1852 2104 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Spoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 Spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID Spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID Spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 Spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Spoolsv.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
Spoolsv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" Spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" Spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts Spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" Spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts Spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" Spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" Spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exesvchost.exedescription pid process Token: SeDebugPrivilege 2104 rundll32.exe Token: SeDebugPrivilege 2000 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4600 wrote to memory of 2104 4600 rundll32.exe rundll32.exe PID 4600 wrote to memory of 2104 4600 rundll32.exe rundll32.exe PID 4600 wrote to memory of 2104 4600 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2000 2104 rundll32.exe svchost.exe PID 2104 wrote to memory of 2000 2104 rundll32.exe svchost.exe PID 2104 wrote to memory of 2000 2104 rundll32.exe svchost.exe PID 2104 wrote to memory of 2000 2104 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24c92589686140881da82af4492fce5956eabd7328cec787ea5785325c7b95ea.dll,#12⤵
- Blocklisted process makes network request
- Registers new Print Monitor
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k rundll323⤵
- Registers new Print Monitor
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 5923⤵
- Program crash
PID:1852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2104 -ip 21041⤵PID:1440
-
C:\Windows\system32\Spoolsv.exeSpoolsv.exe1⤵
- Registers new Print Monitor
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5dcb78c9145f5c60ebe94cae5d8c0124d
SHA1cbe28d240f5a7b90550c6a4224eb3ac18091b60c
SHA25609e6d176b30240413cd4b740858740f2c10d2d354d7f2851a074325fa663f731
SHA51236e64630ffe73aab4264f0534e0361dcceea7ed1537ddf4d09dd8e4e058d3e1c1a89cef80c9cf785ce8d1a5ecc5fd76f8165d75c14b8d9dbc1066bf3a985f2ee
-
Filesize
128B
MD5740dfa20f693c30668147e6c269612d0
SHA1fb995bc846b760d40c5fb7f33c17c8284616ce94
SHA2565acea348d7c0d6dedd3e465d80d2bbade0ed3a48c1482fbec817534b08b50bba
SHA5120b83a08b3ca3c3013f0af1da1a8b7594c1758bafb4a79b69b3eb572812863d5d6e35ece13208d1aa8df8d0b84047f91536538f4a7c16ecbcf219437eee83bd1f