Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:44
Behavioral task
behavioral1
Sample
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll
-
Size
51KB
-
MD5
eecc202cc957f4c336de039a74325c43
-
SHA1
500d872f73a67609c3dfdc9e6f90af009888e227
-
SHA256
064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af
-
SHA512
92568c546d7e78706192c04f036689efca5d0ab1fe18e29cc4fe7688c9168c00c01edcf1e81f6eb94b0b04bd1a1f4c35afb981464de86ad7e632cff14575c929
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLFJYH5:1dWubF3n9S91BF3fboRJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4876-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4876 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2888 wrote to memory of 4876 2888 rundll32.exe 82 PID 2888 wrote to memory of 4876 2888 rundll32.exe 82 PID 2888 wrote to memory of 4876 2888 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\064d775cd4dbf9e2ad20383a3a8dff0382577477f3c6ff4484662d710ac9e6af.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4876
-