Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 21:43
Behavioral task
behavioral1
Sample
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll
-
Size
899KB
-
MD5
159d056a5a13e7347bdeb84eb6a93dd8
-
SHA1
fb110eba343fcb58506d3d2c4a10e0412b628087
-
SHA256
81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b
-
SHA512
41566fe3db01bd08d77024c2aaff405283de4c75d93ababc5929fffb237dd881b5cda91345afbe0a40d2dd5f67eafb1ce43cabad90f0b34b9939e13d1e62e513
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXc:7wqd87Vc
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3416-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3416 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3692 wrote to memory of 3416 3692 rundll32.exe 82 PID 3692 wrote to memory of 3416 3692 rundll32.exe 82 PID 3692 wrote to memory of 3416 3692 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f5e3d94ecffd0586a15db6c6c0824865f5bb3f62462bcf9f1dc7d05ea58b4b.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3416
-