Overview

overview

10

Static

static

3

47e0cdd16e...69.dll

windows7-x64

8

47e0cdd16e...69.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47e0cdd16e0337637658adc9b82eb951ae2dfa0bf7454f155d8f439106e4e269.dll

  • Size

    137KB

  • MD5

    6006cb9df7bbb217c7f8d8d75f3d7e99

  • SHA1

    794bea76abdf177b1c3698b666888b456cae048c

  • SHA256

    47e0cdd16e0337637658adc9b82eb951ae2dfa0bf7454f155d8f439106e4e269

  • SHA512

    6708e4d6c3ab36b2b27ce168980501084ee1ff51151d11dadafefa24b4e3214e1226e3fa37e379d4c72ff650327692a53b32386cbed92cd1858e496f8d325154

  • SSDEEP

    3072:cR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuO:p25GgFny61mras

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Blocklisted process makes network request 1 IoCs
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 16 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 15 IoCs

    Detects file using ACProtect software.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e0cdd16e0337637658adc9b82eb951ae2dfa0bf7454f155d8f439106e4e269.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e0cdd16e0337637658adc9b82eb951ae2dfa0bf7454f155d8f439106e4e269.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Boot or Logon Autostart Execution: Port Monitors
      • Sets service image path in registry
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe -k rundll32
        3⤵
        • Boot or Logon Autostart Execution: Port Monitors
        • Sets service image path in registry
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 616
        3⤵
        • Program crash
        PID:2288
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 772 -ip 772
    1⤵
      PID:716
    • C:\Windows\system32\Spoolsv.exe
      Spoolsv.exe
      1⤵
      • Boot or Logon Autostart Execution: Port Monitors
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\AppPatch\ComBack.Dll
      Filesize

      137KB

      MD5

      bb8c4bc5411aea37d0593912496d241d

      SHA1

      f47a9148222cac968e0ef9149cd14590e51cfbfa

      SHA256

      7b997372b61adcbe1f0df04fb8d7020d67602e68119f5b6723779e9eb960052b

      SHA512

      f39a5927d314cd8891047c832e994f82e58c5245faf763da35d3663d5c804102bbca66baadc9c2384eea9dfc3743ec47043a5b1eb0b133a93b2f134712203eb2

      Download Submit

    • C:\Windows\SysWOW64\com\comb.dll
      Filesize

      127B

      MD5

      074bb0ae58be00454430b5a1c0502ffc

      SHA1

      3450e369af0bb288fa59de5def1b254636311a5c

      SHA256

      2c8f28174946dc187ebff54bed9c222edd6fdc6a12d02bfe54bb6907140be42e

      SHA512

      9870f8e8ef9baa546bd2f48c8c551c996e77ba703f53e5a6c5ee885a4f02908a833410ec6b112dbabc168ca62f72c63286ee2df5f39a10b4d76b0aa582fd6af8

      Download Submit

    • memory/772-5-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/772-6-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/772-13-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/772-14-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/772-4-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/772-34-0x0000000043E50000-0x0000000043E77000-memory.dmp

      Filesize

      156KB

      Download

    • memory/772-31-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/772-12-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/772-11-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/772-9-0x0000000002690000-0x00000000026AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-17-0x00000000006B0000-0x00000000006D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1048-23-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-24-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-25-0x00000000006B0000-0x00000000006D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1048-27-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-28-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-30-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-29-0x0000000002910000-0x000000000292D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1048-15-0x00000000006B0000-0x00000000006D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1048-16-0x00000000004F0000-0x0000000000513000-memory.dmp

      Filesize

      140KB

      Download