Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 18:33
Behavioral task
behavioral1
Sample
7ebae92abab3ce3822e2309b87dea86c071e4e34e636956b035e64d0edcdfd3d.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
7ebae92abab3ce3822e2309b87dea86c071e4e34e636956b035e64d0edcdfd3d.dll
-
Size
51KB
-
MD5
5b12a4b6216b3459a72e54400d06d313
-
SHA1
7d19d4638d869e84342e632984943c06dca51b05
-
SHA256
7ebae92abab3ce3822e2309b87dea86c071e4e34e636956b035e64d0edcdfd3d
-
SHA512
d37591c9ed099c8d2d1b24ebc37705971aa92373989da549be9a2fae3942b0897546ec71693b432a7fd6ccd2dda9401014f74f5316ca51c41421274fa93094d4
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL/JYH5:1dWubF3n9S91BF3fboTJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/808-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 808 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4712 wrote to memory of 808 4712 rundll32.exe 83 PID 4712 wrote to memory of 808 4712 rundll32.exe 83 PID 4712 wrote to memory of 808 4712 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ebae92abab3ce3822e2309b87dea86c071e4e34e636956b035e64d0edcdfd3d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ebae92abab3ce3822e2309b87dea86c071e4e34e636956b035e64d0edcdfd3d.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:808
-