Analysis

  • max time kernel
    92s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 22:30

General

  • Target

    Ghosty Permanent Spoofer/SafeGuard-Library.dll

  • Size

    12.5MB

  • MD5

    0ba40688b6a23948b2bd929dd2777a59

  • SHA1

    bc109471bb84c7dc05ee6b1b63eae36c0e6ab209

  • SHA256

    4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8

  • SHA512

    104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156

  • SSDEEP

    196608:SOHt8K/1aCIGzofI1PRcndumYBy9HwMmoiODwuNaENvHkSGC/jcZ1yRTs6:1Hp/ggMIpOnXu2Y0wugOvHaZZUBB

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ghosty Permanent Spoofer\SafeGuard-Library.dll",#1
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1496 -s 160
      2⤵
        PID:1120

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1496-0-0x000007FEF3638000-0x000007FEF4300000-memory.dmp

      Filesize

      12.8MB

    • memory/1496-13-0x0000000077870000-0x0000000077872000-memory.dmp

      Filesize

      8KB

    • memory/1496-11-0x0000000077870000-0x0000000077872000-memory.dmp

      Filesize

      8KB

    • memory/1496-10-0x0000000077860000-0x0000000077862000-memory.dmp

      Filesize

      8KB

    • memory/1496-8-0x0000000077860000-0x0000000077862000-memory.dmp

      Filesize

      8KB

    • memory/1496-6-0x0000000077860000-0x0000000077862000-memory.dmp

      Filesize

      8KB

    • memory/1496-5-0x0000000077850000-0x0000000077852000-memory.dmp

      Filesize

      8KB

    • memory/1496-3-0x0000000077850000-0x0000000077852000-memory.dmp

      Filesize

      8KB

    • memory/1496-1-0x0000000077850000-0x0000000077852000-memory.dmp

      Filesize

      8KB

    • memory/1496-26-0x00000000778A0000-0x00000000778A2000-memory.dmp

      Filesize

      8KB

    • memory/1496-25-0x0000000077890000-0x0000000077892000-memory.dmp

      Filesize

      8KB

    • memory/1496-23-0x0000000077890000-0x0000000077892000-memory.dmp

      Filesize

      8KB

    • memory/1496-21-0x0000000077890000-0x0000000077892000-memory.dmp

      Filesize

      8KB

    • memory/1496-20-0x0000000077880000-0x0000000077882000-memory.dmp

      Filesize

      8KB

    • memory/1496-18-0x0000000077880000-0x0000000077882000-memory.dmp

      Filesize

      8KB

    • memory/1496-16-0x0000000077880000-0x0000000077882000-memory.dmp

      Filesize

      8KB

    • memory/1496-15-0x0000000077870000-0x0000000077872000-memory.dmp

      Filesize

      8KB

    • memory/1496-40-0x00000000778C0000-0x00000000778C2000-memory.dmp

      Filesize

      8KB

    • memory/1496-38-0x00000000778C0000-0x00000000778C2000-memory.dmp

      Filesize

      8KB

    • memory/1496-36-0x00000000778C0000-0x00000000778C2000-memory.dmp

      Filesize

      8KB

    • memory/1496-35-0x00000000778B0000-0x00000000778B2000-memory.dmp

      Filesize

      8KB

    • memory/1496-33-0x00000000778B0000-0x00000000778B2000-memory.dmp

      Filesize

      8KB

    • memory/1496-31-0x00000000778B0000-0x00000000778B2000-memory.dmp

      Filesize

      8KB

    • memory/1496-30-0x00000000778A0000-0x00000000778A2000-memory.dmp

      Filesize

      8KB

    • memory/1496-28-0x00000000778A0000-0x00000000778A2000-memory.dmp

      Filesize

      8KB

    • memory/1496-51-0x00000000778E0000-0x00000000778E2000-memory.dmp

      Filesize

      8KB

    • memory/1496-49-0x00000000778E0000-0x00000000778E2000-memory.dmp

      Filesize

      8KB

    • memory/1496-47-0x00000000778E0000-0x00000000778E2000-memory.dmp

      Filesize

      8KB

    • memory/1496-46-0x000007FEF35C0000-0x000007FEF4F85000-memory.dmp

      Filesize

      25.8MB

    • memory/1496-45-0x00000000778D0000-0x00000000778D2000-memory.dmp

      Filesize

      8KB

    • memory/1496-43-0x00000000778D0000-0x00000000778D2000-memory.dmp

      Filesize

      8KB

    • memory/1496-41-0x00000000778D0000-0x00000000778D2000-memory.dmp

      Filesize

      8KB

    • memory/1496-61-0x0000000077900000-0x0000000077902000-memory.dmp

      Filesize

      8KB

    • memory/1496-59-0x0000000077900000-0x0000000077902000-memory.dmp

      Filesize

      8KB

    • memory/1496-57-0x0000000077900000-0x0000000077902000-memory.dmp

      Filesize

      8KB

    • memory/1496-56-0x00000000778F0000-0x00000000778F2000-memory.dmp

      Filesize

      8KB

    • memory/1496-54-0x00000000778F0000-0x00000000778F2000-memory.dmp

      Filesize

      8KB

    • memory/1496-52-0x00000000778F0000-0x00000000778F2000-memory.dmp

      Filesize

      8KB

    • memory/1496-64-0x0000000077910000-0x0000000077912000-memory.dmp

      Filesize

      8KB

    • memory/1496-62-0x0000000077910000-0x0000000077912000-memory.dmp

      Filesize

      8KB

    • memory/1496-95-0x000007FEF35C0000-0x000007FEF4F85000-memory.dmp

      Filesize

      25.8MB

    • memory/1496-103-0x000007FEF35C0000-0x000007FEF4F85000-memory.dmp

      Filesize

      25.8MB

    • memory/1496-104-0x000007FEF3638000-0x000007FEF4300000-memory.dmp

      Filesize

      12.8MB