873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghosty Permanent Spoofer/SafeGuard-Library.dll
Size

12.5MB
MD5

0ba40688b6a23948b2bd929dd2777a59
SHA1

bc109471bb84c7dc05ee6b1b63eae36c0e6ab209
SHA256

4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8
SHA512

104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156
SSDEEP

196608:SOHt8K/1aCIGzofI1PRcndumYBy9HwMmoiODwuNaENvHkSGC/jcZ1yRTs6:1Hp/ggMIpOnXu2Y0wugOvHaZZUBB

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1612	rundll32.exe
1612	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2588	1612	rundll32.exe	31
PID 1612 wrote to memory of 2588	1612	rundll32.exe	31
PID 1612 wrote to memory of 2588	1612	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ghosty Permanent Spoofer\SafeGuard-Library.dll",#1
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1612 -s 160
  2⤵
  PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-0-0x000007FEF2DF8000-0x000007FEF3AC0000-memory.dmp

Filesize
12.8MB

Download
memory/1612-5-0x0000000077510000-0x0000000077512000-memory.dmp

Filesize
8KB

Download
memory/1612-25-0x0000000077550000-0x0000000077552000-memory.dmp

Filesize
8KB

Download
memory/1612-36-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/1612-51-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/1612-65-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1612-63-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1612-62-0x00000000775C0000-0x00000000775C2000-memory.dmp

Filesize
8KB

Download
memory/1612-60-0x00000000775C0000-0x00000000775C2000-memory.dmp

Filesize
8KB

Download
memory/1612-58-0x00000000775C0000-0x00000000775C2000-memory.dmp

Filesize
8KB

Download
memory/1612-57-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/1612-53-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/1612-52-0x000007FEF2D80000-0x000007FEF4745000-memory.dmp

Filesize
25.8MB

Download
memory/1612-49-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/1612-47-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/1612-46-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/1612-44-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/1612-42-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/1612-41-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/1612-39-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/1612-37-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/1612-34-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/1612-32-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/1612-31-0x0000000077560000-0x0000000077562000-memory.dmp

Filesize
8KB

Download
memory/1612-29-0x0000000077560000-0x0000000077562000-memory.dmp

Filesize
8KB

Download
memory/1612-27-0x0000000077560000-0x0000000077562000-memory.dmp

Filesize
8KB

Download
memory/1612-26-0x000007FEF2D80000-0x000007FEF4745000-memory.dmp

Filesize
25.8MB

Download
memory/1612-23-0x0000000077550000-0x0000000077552000-memory.dmp

Filesize
8KB

Download
memory/1612-21-0x0000000077550000-0x0000000077552000-memory.dmp

Filesize
8KB

Download
memory/1612-20-0x0000000077540000-0x0000000077542000-memory.dmp

Filesize
8KB

Download
memory/1612-18-0x0000000077540000-0x0000000077542000-memory.dmp

Filesize
8KB

Download
memory/1612-16-0x0000000077540000-0x0000000077542000-memory.dmp

Filesize
8KB

Download
memory/1612-15-0x0000000077530000-0x0000000077532000-memory.dmp

Filesize
8KB

Download
memory/1612-13-0x0000000077530000-0x0000000077532000-memory.dmp

Filesize
8KB

Download
memory/1612-11-0x0000000077530000-0x0000000077532000-memory.dmp

Filesize
8KB

Download
memory/1612-10-0x0000000077520000-0x0000000077522000-memory.dmp

Filesize
8KB

Download
memory/1612-8-0x0000000077520000-0x0000000077522000-memory.dmp

Filesize
8KB

Download
memory/1612-6-0x0000000077520000-0x0000000077522000-memory.dmp

Filesize
8KB

Download
memory/1612-3-0x0000000077510000-0x0000000077512000-memory.dmp

Filesize
8KB

Download
memory/1612-1-0x0000000077510000-0x0000000077512000-memory.dmp

Filesize
8KB

Download
memory/1612-103-0x000007FEF2D80000-0x000007FEF4745000-memory.dmp

Filesize
25.8MB

Download
memory/1612-104-0x000007FEF2DF8000-0x000007FEF3AC0000-memory.dmp

Filesize
12.8MB

Download