Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 05:08
Behavioral task
behavioral1
Sample
c84ff5fd665b59b9bbd7c07a790452447e6abec47c13b8670b95fe9dd836aa86.dll
Resource
win7-20240704-en
windows7-x64
4 signatures
150 seconds
General
-
Target
c84ff5fd665b59b9bbd7c07a790452447e6abec47c13b8670b95fe9dd836aa86.dll
-
Size
899KB
-
MD5
795979d4329aab8345d46e03476c435c
-
SHA1
bc13b2381e097fbfab6e214380488d44be0459e8
-
SHA256
c84ff5fd665b59b9bbd7c07a790452447e6abec47c13b8670b95fe9dd836aa86
-
SHA512
694c8877d747ef27497e01f8659cb910b4642dca6be20e79e30fd1fe4a0943cbd79d9746796a41ec6e9a840838e3e7f5389b1be1caf83ede2c65ebc1ad090cac
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXj:7wqd87Vj
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2780-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2780 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 2780 2732 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c84ff5fd665b59b9bbd7c07a790452447e6abec47c13b8670b95fe9dd836aa86.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c84ff5fd665b59b9bbd7c07a790452447e6abec47c13b8670b95fe9dd836aa86.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2780-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB