Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 04:33
Behavioral task
behavioral1
Sample
63e5628ba754d11e7a7f2c810c0071472ecdb95d9100d2aab2ef865fdc8bfa99.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
63e5628ba754d11e7a7f2c810c0071472ecdb95d9100d2aab2ef865fdc8bfa99.dll
-
Size
899KB
-
MD5
e0e55ed4378bc67e3648c214e34f8909
-
SHA1
efb24f72ace043db6302d612252fef3898879a6d
-
SHA256
63e5628ba754d11e7a7f2c810c0071472ecdb95d9100d2aab2ef865fdc8bfa99
-
SHA512
935170fbdbd9d0eec1b6b9272b23f7fb0ca9a358bf5ad32ab49fd9fc1c6430a336b41cdc5495bf29cfdc3366aa57c165b6171adce9b0b78e5eb99fbc14c3e5ed
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX0:7wqd87V0
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/952-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 952 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3432 wrote to memory of 952 3432 rundll32.exe 83 PID 3432 wrote to memory of 952 3432 rundll32.exe 83 PID 3432 wrote to memory of 952 3432 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63e5628ba754d11e7a7f2c810c0071472ecdb95d9100d2aab2ef865fdc8bfa99.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63e5628ba754d11e7a7f2c810c0071472ecdb95d9100d2aab2ef865fdc8bfa99.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:952
-