Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 22:36
Behavioral task
behavioral1
Sample
ce39d9bf680bd3adf6b9771bfdf10db7a17a9a18e57fd47b136fdab1fcc43c2f.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
ce39d9bf680bd3adf6b9771bfdf10db7a17a9a18e57fd47b136fdab1fcc43c2f.dll
-
Size
899KB
-
MD5
32305e747d5cbf7f265923c4c2807825
-
SHA1
b421b2a55844f0461f2972012febb02272553e48
-
SHA256
ce39d9bf680bd3adf6b9771bfdf10db7a17a9a18e57fd47b136fdab1fcc43c2f
-
SHA512
0493bf585a78cb4aba6e48b035435a95be65563042bcede6ed7a8f5001b5041b7d3005be1af1cfab80941953ea50f8e4d6d288210388acfacec3a12f868ad5c1
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXO:7wqd87VO
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1784-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1784 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1784 2880 rundll32.exe 80 PID 2880 wrote to memory of 1784 2880 rundll32.exe 80 PID 2880 wrote to memory of 1784 2880 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce39d9bf680bd3adf6b9771bfdf10db7a17a9a18e57fd47b136fdab1fcc43c2f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce39d9bf680bd3adf6b9771bfdf10db7a17a9a18e57fd47b136fdab1fcc43c2f.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1784
-