Analysis
-
max time kernel
141s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 05:26
Behavioral task
behavioral1
Sample
001e7e244514bc9cf0f68792722a0f816ba7b4e33583599899188f1758a70f6e.dll
Resource
win7-20240704-en
5 signatures
150 seconds
General
-
Target
001e7e244514bc9cf0f68792722a0f816ba7b4e33583599899188f1758a70f6e.dll
-
Size
899KB
-
MD5
b552f28efdc9cb750007e52cef1764b5
-
SHA1
3addb9f2cedc68b40a649b283a06f88b87949add
-
SHA256
001e7e244514bc9cf0f68792722a0f816ba7b4e33583599899188f1758a70f6e
-
SHA512
d322e63b5e71dcb0d3a1783b8e705f05c48b38138283858e3c1e810229286999ac1d219315c11e6e64db1d991d01d093b533cb525291dfa9a588f3c08ca16286
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX3:7wqd87V3
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1180-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1180 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4540 wrote to memory of 1180 4540 rundll32.exe 89 PID 4540 wrote to memory of 1180 4540 rundll32.exe 89 PID 4540 wrote to memory of 1180 4540 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\001e7e244514bc9cf0f68792722a0f816ba7b4e33583599899188f1758a70f6e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\001e7e244514bc9cf0f68792722a0f816ba7b4e33583599899188f1758a70f6e.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:81⤵PID:3588