Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 08:19
Behavioral task
behavioral1
Sample
f85fad8d63f0dc8141e76cb20911541d6d3bddb55ac2440d567878d2db99b0e4.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
f85fad8d63f0dc8141e76cb20911541d6d3bddb55ac2440d567878d2db99b0e4.dll
-
Size
899KB
-
MD5
32ba0e36bd16b8c3b562047a8571e565
-
SHA1
7a5237932d8c6b0bc80806420d2cba84fcb52e3c
-
SHA256
f85fad8d63f0dc8141e76cb20911541d6d3bddb55ac2440d567878d2db99b0e4
-
SHA512
613f6687746b32a5643c42f6020078b1c323cdb21e5205775e2f5d0a12b81f1a3bde58595300298d79d7fe9a1c1dccde99062d31ea834011e08790eae596b20a
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXq:7wqd87Vq
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2460-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2460 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2460 1620 rundll32.exe 83 PID 1620 wrote to memory of 2460 1620 rundll32.exe 83 PID 1620 wrote to memory of 2460 1620 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f85fad8d63f0dc8141e76cb20911541d6d3bddb55ac2440d567878d2db99b0e4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f85fad8d63f0dc8141e76cb20911541d6d3bddb55ac2440d567878d2db99b0e4.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2460
-