Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 09:40
Behavioral task
behavioral1
Sample
7b0401dfa9631236d929500c12580eb98553f706fd4368408998bae5af62ba4b.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
7b0401dfa9631236d929500c12580eb98553f706fd4368408998bae5af62ba4b.dll
-
Size
50KB
-
MD5
f4b07afedfc0ece666f6e4ad0b6e0787
-
SHA1
ee482eda073164be9961f71d42b1cf09313ceed4
-
SHA256
7b0401dfa9631236d929500c12580eb98553f706fd4368408998bae5af62ba4b
-
SHA512
2003bfec510edbe29410f8f629d11eb6d7f18c2e2c1f36b2ee77e0de0c5a4356d11fbcd9d3d32c56c135e2906109955c77124d042d3286db2e2f52ec93b67447
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5WJYH:W5ReWjTrW9rNPgYoUJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2236-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2236 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2236 2184 rundll32.exe 83 PID 2184 wrote to memory of 2236 2184 rundll32.exe 83 PID 2184 wrote to memory of 2236 2184 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b0401dfa9631236d929500c12580eb98553f706fd4368408998bae5af62ba4b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b0401dfa9631236d929500c12580eb98553f706fd4368408998bae5af62ba4b.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2236
-