Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 22:43
Behavioral task
behavioral1
Sample
bc11d5b4f290bc1f19bb111261e45eee0fd63bf3a8e5840a71934ca728cb020e.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
bc11d5b4f290bc1f19bb111261e45eee0fd63bf3a8e5840a71934ca728cb020e.dll
-
Size
51KB
-
MD5
70b180ef441b91c048db744745ff568e
-
SHA1
6f722f031298bb99fbc83e426c7fcbfffdfc5e5b
-
SHA256
bc11d5b4f290bc1f19bb111261e45eee0fd63bf3a8e5840a71934ca728cb020e
-
SHA512
0816b0b9012154a22ffd7c3b2531241fd197490618bb5aefa5150ec1107a88543f9c74880d874165afe6d722578d83d9abb873d24933f96aaf8b38a441542042
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLoJYH5:1dWubF3n9S91BF3fbo0JYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2308-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2308 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1492 wrote to memory of 2308 1492 rundll32.exe 83 PID 1492 wrote to memory of 2308 1492 rundll32.exe 83 PID 1492 wrote to memory of 2308 1492 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bc11d5b4f290bc1f19bb111261e45eee0fd63bf3a8e5840a71934ca728cb020e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bc11d5b4f290bc1f19bb111261e45eee0fd63bf3a8e5840a71934ca728cb020e.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2308
-