Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 14:32
Behavioral task
behavioral1
Sample
deff54c39868ca125c62971ebe1c0b2d36f727419c05e782f2e2d3d4d7543f02.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
deff54c39868ca125c62971ebe1c0b2d36f727419c05e782f2e2d3d4d7543f02.dll
-
Size
50KB
-
MD5
8b18df55685004e790aad900bbeddcbf
-
SHA1
de94b77311e53fe7be89f82fc109252b595b10d6
-
SHA256
deff54c39868ca125c62971ebe1c0b2d36f727419c05e782f2e2d3d4d7543f02
-
SHA512
72258664cc3825d6ed791a7ca495332ed7f7fd8fdfef85ef8a3daab8fa6732a54ebce7aa79e71651f0c2dcff016ee0b6b10c662fa5ba442c41356a3d1704d3c9
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o55JYH:W5ReWjTrW9rNPgYovJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2252-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2252 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4788 wrote to memory of 2252 4788 rundll32.exe 83 PID 4788 wrote to memory of 2252 4788 rundll32.exe 83 PID 4788 wrote to memory of 2252 4788 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deff54c39868ca125c62971ebe1c0b2d36f727419c05e782f2e2d3d4d7543f02.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deff54c39868ca125c62971ebe1c0b2d36f727419c05e782f2e2d3d4d7543f02.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2252
-