Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 18:41
Behavioral task
behavioral1
Sample
ee67b36539435160433c1fd2932a507c413d38e177406bf29c8996dccd2e65c7.dll
Resource
win7-20241023-en
General
-
Target
ee67b36539435160433c1fd2932a507c413d38e177406bf29c8996dccd2e65c7.dll
-
Size
50KB
-
MD5
dec4bfb6dd3d09c43db125afea5c0520
-
SHA1
a30a8dd8b315412448fdeab29c7aca7eca502503
-
SHA256
ee67b36539435160433c1fd2932a507c413d38e177406bf29c8996dccd2e65c7
-
SHA512
ca39d8bd918307e23d38758174f76810cdf2808be484d2776a27b4bf5b9af40add7d485e6dec2f59545585a93c0f57df7139d28f69ea4c5fd4f0143d62da0ff9
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5yJYH:W5ReWjTrW9rNPgYoQJYH
Malware Config
Extracted
gh0strat
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1468-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1468 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4684 wrote to memory of 1468 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 1468 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 1468 4684 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee67b36539435160433c1fd2932a507c413d38e177406bf29c8996dccd2e65c7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee67b36539435160433c1fd2932a507c413d38e177406bf29c8996dccd2e65c7.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:1468
-