Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 08:29
Behavioral task
behavioral1
Sample
a8a4168f1af62a359761d68c5693df52f19b2ad083792c650f8c51fd0ca596ee.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
a8a4168f1af62a359761d68c5693df52f19b2ad083792c650f8c51fd0ca596ee.dll
-
Size
899KB
-
MD5
87df5b45d82470c58f7009f909f125ee
-
SHA1
f3ac6fbe2cdf8c0a018eeed641a4b45549f2c9ab
-
SHA256
a8a4168f1af62a359761d68c5693df52f19b2ad083792c650f8c51fd0ca596ee
-
SHA512
3606aa53876442295fbab15d0ec064276f49dbd836ce000d95598c13fcf850d7953a6f6aa647b35e5b0906c8693162da632a6cf26b83ae913da191c485902621
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXe:7wqd87Ve
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/228-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 228 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1504 wrote to memory of 228 1504 rundll32.exe 83 PID 1504 wrote to memory of 228 1504 rundll32.exe 83 PID 1504 wrote to memory of 228 1504 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a4168f1af62a359761d68c5693df52f19b2ad083792c650f8c51fd0ca596ee.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a4168f1af62a359761d68c5693df52f19b2ad083792c650f8c51fd0ca596ee.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:228
-