Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 22:15
Behavioral task
behavioral1
Sample
eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll
-
Size
899KB
-
MD5
a7466233b27cedc3c79f5d9334ea5b79
-
SHA1
d4661555e2b5d1e071b642160dbd7cfb5aa424e2
-
SHA256
eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a
-
SHA512
fbecaedc3a5253a2520a234f9c92d4482eee6cb9ad970156cbe0260a6f0304f8d49920403c687e9ccdf2e159a1a921d2cff2deaca829b5a92c6c1424f0816e92
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXW:7wqd87VW
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3572-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3572 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3572 1312 rundll32.exe 83 PID 1312 wrote to memory of 3572 1312 rundll32.exe 83 PID 1312 wrote to memory of 3572 1312 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3572
-