Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 05:49
Behavioral task
behavioral1
Sample
eb80e165c1c3c109ad811acd2d836c6a3e5a1f42f86eea8e67a38a9179682a67.dll
Resource
win7-20240708-en
4 signatures
150 seconds
General
-
Target
eb80e165c1c3c109ad811acd2d836c6a3e5a1f42f86eea8e67a38a9179682a67.dll
-
Size
50KB
-
MD5
f076b3967338c01e3e7fca7888b2d5bc
-
SHA1
7f06c83399720f34f18365ec05db480fc3d297c0
-
SHA256
eb80e165c1c3c109ad811acd2d836c6a3e5a1f42f86eea8e67a38a9179682a67
-
SHA512
07547526f1dcb980bb25d16008e745627c95f2a9ea4b2a2e2093ef41163b6e6007c8d10b53912632141648fef1fcfc6c116bd71a1fdcc65f3c99a6ccc0e3f28f
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o53JYH:W5ReWjTrW9rNPgYoZJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4176-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4176 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 672 wrote to memory of 4176 672 rundll32.exe 84 PID 672 wrote to memory of 4176 672 rundll32.exe 84 PID 672 wrote to memory of 4176 672 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb80e165c1c3c109ad811acd2d836c6a3e5a1f42f86eea8e67a38a9179682a67.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb80e165c1c3c109ad811acd2d836c6a3e5a1f42f86eea8e67a38a9179682a67.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4176
-