Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 10:33
Behavioral task
behavioral1
Sample
e2e922845bde5b87caf0f1a79b68f33f579bdb4ae72a0cc158ac1f2bee7b75b2.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
e2e922845bde5b87caf0f1a79b68f33f579bdb4ae72a0cc158ac1f2bee7b75b2.dll
-
Size
50KB
-
MD5
5e3a58450e9d9f0557f89baa3dff5675
-
SHA1
593a6b06b79c3fba5f83eb51ba5e0a7d016969fa
-
SHA256
e2e922845bde5b87caf0f1a79b68f33f579bdb4ae72a0cc158ac1f2bee7b75b2
-
SHA512
d578a4894202e5edfd75e2d6c000943e5184af1de41f5163d3ed93157cec112d6234e5feb4db298e159fe34c16938f7cfd872c990c8ddafdc4df8fdac0addd4f
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o54JYH:W5ReWjTrW9rNPgYoiJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/644-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 644 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3972 wrote to memory of 644 3972 rundll32.exe 83 PID 3972 wrote to memory of 644 3972 rundll32.exe 83 PID 3972 wrote to memory of 644 3972 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e922845bde5b87caf0f1a79b68f33f579bdb4ae72a0cc158ac1f2bee7b75b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e922845bde5b87caf0f1a79b68f33f579bdb4ae72a0cc158ac1f2bee7b75b2.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:644
-