Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 23:11
Behavioral task
behavioral1
Sample
3f7dcfa94888e4d6f27fb69606d4898d89946abefb1442b5bdcb5ae85a770e7e.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
3f7dcfa94888e4d6f27fb69606d4898d89946abefb1442b5bdcb5ae85a770e7e.dll
-
Size
899KB
-
MD5
3c3a5900f06c478723bff0f29ffb8a37
-
SHA1
b328a32572abf31bce37351712806e2580f55101
-
SHA256
3f7dcfa94888e4d6f27fb69606d4898d89946abefb1442b5bdcb5ae85a770e7e
-
SHA512
efe2ab416bed8e01d663ca4cb76f7a0dc98a49a77297fd079c48c83446b0e78bcff423f5c6a14fa04c1f84d9a4bc9b15a1bdad5f253f1302be9a45b70170e4c6
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX/:7wqd87V/
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2344-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2344 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2344 2752 rundll32.exe 83 PID 2752 wrote to memory of 2344 2752 rundll32.exe 83 PID 2752 wrote to memory of 2344 2752 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3f7dcfa94888e4d6f27fb69606d4898d89946abefb1442b5bdcb5ae85a770e7e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3f7dcfa94888e4d6f27fb69606d4898d89946abefb1442b5bdcb5ae85a770e7e.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2344
-