Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:43
Behavioral task
behavioral1
Sample
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll
-
Size
899KB
-
MD5
159d056a5a13e7347bdeb84eb6a93dd8
-
SHA1
fb110eba343fcb58506d3d2c4a10e0412b628087
-
SHA256
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b
-
SHA512
41566fe3db01bd08d77024c2aaff405283de4c75d93ababc5929fffb237dd881b5cda91345afbe0a40d2dd5f67eafb1ce43cabad90f0b34b9939e13d1e62e513
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXc:7wqd87Vc
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1892-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1892 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29 PID 2192 wrote to memory of 1892 2192 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1892
-