Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:46
Behavioral task
behavioral1
Sample
a9ea998bd1f6020b36c4e24f266b01ade142585707b09ab401a8b33fab514769.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
a9ea998bd1f6020b36c4e24f266b01ade142585707b09ab401a8b33fab514769.dll
-
Size
50KB
-
MD5
342131c828711bd6567d6bb1cc0132b8
-
SHA1
39e1f30da7d8a48f0ce38ddb311342b501fe42bc
-
SHA256
a9ea998bd1f6020b36c4e24f266b01ade142585707b09ab401a8b33fab514769
-
SHA512
f75d2f3c3ab64f0ca45363a001be9eb7cfba8a1d17a5c2de273b845bc5488ac69483607896f69d4745de08666dd58006ff55f5de166b2f4d0d330f464ed71352
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o53JYH:W5ReWjTrW9rNPgYohJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1708-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1708 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28 PID 1956 wrote to memory of 1708 1956 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9ea998bd1f6020b36c4e24f266b01ade142585707b09ab401a8b33fab514769.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9ea998bd1f6020b36c4e24f266b01ade142585707b09ab401a8b33fab514769.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1708
-