Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 21:46
Behavioral task
behavioral1
Sample
382f85dacec08cc81fcd536cd3ca128f99150f95b46243bb2a423009cb56fcd6.dll
Resource
win7-20240419-en
4 signatures
150 seconds
General
-
Target
382f85dacec08cc81fcd536cd3ca128f99150f95b46243bb2a423009cb56fcd6.dll
-
Size
899KB
-
MD5
01982894c2e39d4ce30e80bae7e1c210
-
SHA1
61afe9ec71581e90599b71c687ebfa5f103e5e34
-
SHA256
382f85dacec08cc81fcd536cd3ca128f99150f95b46243bb2a423009cb56fcd6
-
SHA512
5faae6a300756ac2b75dc48b28243b0f9af168aa11290c7f0333588a0a509bf7d708746605029195343232d7efbaf80a7970b6644092445a4444aef5c41921e9
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXc:7wqd87Vc
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3288-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3288 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4148 wrote to memory of 3288 4148 rundll32.exe 90 PID 4148 wrote to memory of 3288 4148 rundll32.exe 90 PID 4148 wrote to memory of 3288 4148 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\382f85dacec08cc81fcd536cd3ca128f99150f95b46243bb2a423009cb56fcd6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\382f85dacec08cc81fcd536cd3ca128f99150f95b46243bb2a423009cb56fcd6.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:2256