Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 21:46
Behavioral task
behavioral1
Sample
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll
-
Size
899KB
-
MD5
28c4be1823536ad9d43417a2369dbc15
-
SHA1
21f3a967d984c2f8477332e35ebb105c64c1579e
-
SHA256
1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81
-
SHA512
3a12fcef14898956e623f9c4ba960483444f4157f25d9ef7b9867eb54d95586b91659c598ac718b8ef68e73b1fc95d843661f9da78626969e30f6b87efd4faef
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX9:7wqd87V9
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4084-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4084 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 816 wrote to memory of 4084 816 rundll32.exe 81 PID 816 wrote to memory of 4084 816 rundll32.exe 81 PID 816 wrote to memory of 4084 816 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1355219439e45f222f3a6512184340b543e5155e154295e151a9b8dfe719de81.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4084
-