Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 15:32
Behavioral task
behavioral1
Sample
68d20870533f5068096d0941b72c839cbcd24b0811ce8de53aa1f1e37353a4de.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
68d20870533f5068096d0941b72c839cbcd24b0811ce8de53aa1f1e37353a4de.dll
-
Size
51KB
-
MD5
f52b2f978bc79e2d02ace08bbd006b14
-
SHA1
97468f15ce0f737922a847920f7d75a2e07c19e1
-
SHA256
68d20870533f5068096d0941b72c839cbcd24b0811ce8de53aa1f1e37353a4de
-
SHA512
381a381a1ba1af5a68443f981ef9d97bd6916da89429f388da0a3e34fee15a398d4c993fada12841d98ba429215b38014394703167ec7147207d811208e2350e
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLzJYH5:1dWubF3n9S91BF3fbofJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/868-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 868 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1308 wrote to memory of 868 1308 rundll32.exe 83 PID 1308 wrote to memory of 868 1308 rundll32.exe 83 PID 1308 wrote to memory of 868 1308 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68d20870533f5068096d0941b72c839cbcd24b0811ce8de53aa1f1e37353a4de.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68d20870533f5068096d0941b72c839cbcd24b0811ce8de53aa1f1e37353a4de.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:868
-