Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 02:08
Behavioral task
behavioral1
Sample
789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll
-
Size
10.0MB
-
MD5
2d4917e38640c3edce8abc2eed666556
-
SHA1
8839af77fcf612375d063e97e57ffbd2c12d468a
-
SHA256
789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a
-
SHA512
0405c00c5cc8aeae6b77a23ca461f35474850c9251ad5bb5a2f104f8d408b53e76fa8aa30660573a717c3799f27ca0cb2a6d7d6a9fbfd71e1249ed0695575cea
-
SSDEEP
3072:iJO8w5IR5QgyTYOiFTZCqKDWQimUXTK5Vjz/GQcWRMIP0M:oO8og8YOuCj6QwDcja0RL
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/2920-2-0x0000000010000000-0x0000000010025000-memory.dmp family_gh0strat behavioral1/memory/2920-0-0x0000000010000000-0x0000000010025000-memory.dmp family_gh0strat behavioral1/files/0x000b000000012118-6.dat family_gh0strat behavioral1/memory/2368-8-0x0000000010000000-0x0000000010025000-memory.dmp family_gh0strat behavioral1/memory/2368-9-0x0000000010000000-0x0000000010025000-memory.dmp family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 2368 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\avicap.log rundll32.exe File created C:\Windows\system\avicap.log rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2920 rundll32.exe Token: SeRestorePrivilege 2920 rundll32.exe Token: SeBackupPrivilege 2920 rundll32.exe Token: SeRestorePrivilege 2920 rundll32.exe Token: SeBackupPrivilege 2920 rundll32.exe Token: SeRestorePrivilege 2920 rundll32.exe Token: SeBackupPrivilege 2920 rundll32.exe Token: SeRestorePrivilege 2920 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30 PID 1924 wrote to memory of 2920 1924 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.4MB
MD5da4d154815544d093a6572591cc057b0
SHA1073a13efe70cb8696612739b39e0b345b9613d35
SHA256f756841fb98875da38dbee3645d85e8b8a35db690a7b88a75aeeb69b1ed628bb
SHA512f748517b8fa7ca437d0011a0ef9d0c427c133ed710aab93eaa15f130c4db150388adf7424ecec6d19c59356315ba4bd3a1f02819af355425964eb2d3aff9121b