Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 05:05
Behavioral task
behavioral1
Sample
f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll
-
Size
51KB
-
MD5
059a8c67b1501bfcfa238690e3723def
-
SHA1
e52a5b9e718ccc6e1d2ad10caae341201eb2a836
-
SHA256
f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22
-
SHA512
3191e8727d88c41194c7eca921f3274c71b8d5bc1488dc5b45012b7b8310d99d1dc9705ea59f675065adead31a2fdb70f878f7133112a55fcb76853bd8b09e86
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLWJYH5:1dWubF3n9S91BF3fboCJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1564-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1564 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1564 1920 rundll32.exe 83 PID 1920 wrote to memory of 1564 1920 rundll32.exe 83 PID 1920 wrote to memory of 1564 1920 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1564
-