Analysis
-
max time kernel
141s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 04:09
Behavioral task
behavioral1
Sample
fc2a250f214b6d2c82c7d720e95dcdc9ca93bf9d99ac4340afddbb98d1634c4f.dll
Resource
win7-20240704-en
4 signatures
150 seconds
General
-
Target
fc2a250f214b6d2c82c7d720e95dcdc9ca93bf9d99ac4340afddbb98d1634c4f.dll
-
Size
899KB
-
MD5
f7f5f5bb208fbb5ba2b689b84349648d
-
SHA1
523156079cf2f524a97e9295554b9fbb3a70e06c
-
SHA256
fc2a250f214b6d2c82c7d720e95dcdc9ca93bf9d99ac4340afddbb98d1634c4f
-
SHA512
295df632816d58c955359a54d6952460944c3712731722ab1da0704d209898d382ac06a84eb041188c50ed56679120016c2b3797e0c63a74eb366fa653f779d4
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXb:7wqd87Vb
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4924-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 4924 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1596 wrote to memory of 4924 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 4924 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 4924 1596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc2a250f214b6d2c82c7d720e95dcdc9ca93bf9d99ac4340afddbb98d1634c4f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc2a250f214b6d2c82c7d720e95dcdc9ca93bf9d99ac4340afddbb98d1634c4f.dll,#12⤵
- Suspicious behavior: RenamesItself
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,8810623976767776473,12198967845557146846,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4924-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB