Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:46
Behavioral task
behavioral1
Sample
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll
-
Size
899KB
-
MD5
28c4be1823536ad9d43417a2369dbc15
-
SHA1
21f3a967d984c2f8477332e35ebb105c64c1579e
-
SHA256
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81
-
SHA512
3a12fcef14898956e623f9c4ba960483444f4157f25d9ef7b9867eb54d95586b91659c598ac718b8ef68e73b1fc95d843661f9da78626969e30f6b87efd4faef
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX9:7wqd87V9
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2408-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2408 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28 PID 2164 wrote to memory of 2408 2164 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2408
-