Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:44
Behavioral task
behavioral1
Sample
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll
-
Size
51KB
-
MD5
eecc202cc957f4c336de039a74325c43
-
SHA1
500d872f73a67609c3dfdc9e6f90af009888e227
-
SHA256
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af
-
SHA512
92568c546d7e78706192c04f036689efca5d0ab1fe18e29cc4fe7688c9168c00c01edcf1e81f6eb94b0b04bd1a1f4c35afb981464de86ad7e632cff14575c929
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLFJYH5:1dWubF3n9S91BF3fboRJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2384-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2384 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30 PID 2112 wrote to memory of 2384 2112 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2384
-