Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 22:43
Behavioral task
behavioral1
Sample
384032d54459dd5c5692b4380a7bd3ef1531642ea6b283b8b146cdfb53e412e4.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
384032d54459dd5c5692b4380a7bd3ef1531642ea6b283b8b146cdfb53e412e4.dll
-
Size
51KB
-
MD5
49217a92551f0df61fc3e839dc210cf9
-
SHA1
bbb82fcfefc0adc20c3748a9003e80ee9597593b
-
SHA256
384032d54459dd5c5692b4380a7bd3ef1531642ea6b283b8b146cdfb53e412e4
-
SHA512
25b9d070083603d7256cd5224a8bb5b53154f2ca8f07dbf9ae26d84a61c8d389b1788429728ddd88294b6894753cf73f450a9bc2b5a3a3e1af855a95b05dd65f
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLcJYH5:1dWubF3n9S91BF3fboAJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3276-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3276 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1268 wrote to memory of 3276 1268 rundll32.exe 88 PID 1268 wrote to memory of 3276 1268 rundll32.exe 88 PID 1268 wrote to memory of 3276 1268 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\384032d54459dd5c5692b4380a7bd3ef1531642ea6b283b8b146cdfb53e412e4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\384032d54459dd5c5692b4380a7bd3ef1531642ea6b283b8b146cdfb53e412e4.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:81⤵PID:4684