Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 14:55
Behavioral task
behavioral1
Sample
2c471bb6500064c76c338a6438c1e9f2059842d447e232eeb078bc9d17bbddeb.dll
Resource
win7-20240705-en
General
-
Target
2c471bb6500064c76c338a6438c1e9f2059842d447e232eeb078bc9d17bbddeb.dll
-
Size
899KB
-
MD5
9d8824d5e4766336a13e6bcccbd1c2b0
-
SHA1
ad1bd699e25ec79646565be23b541246b30a4b61
-
SHA256
2c471bb6500064c76c338a6438c1e9f2059842d447e232eeb078bc9d17bbddeb
-
SHA512
1a9401f51fac120515e0e619225d424130bfab259a5bc30343f282c52b57d1ca0e791d5d71ace5aea7177c95fac96753fd73be781e7dccac1de57b6996e41cfc
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXx:7wqd87Vx
Malware Config
Extracted
gh0strat
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4380-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4380 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3192 wrote to memory of 4380 3192 rundll32.exe 84 PID 3192 wrote to memory of 4380 3192 rundll32.exe 84 PID 3192 wrote to memory of 4380 3192 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c471bb6500064c76c338a6438c1e9f2059842d447e232eeb078bc9d17bbddeb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c471bb6500064c76c338a6438c1e9f2059842d447e232eeb078bc9d17bbddeb.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4380
-