Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 04:07
Behavioral task
behavioral1
Sample
f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe
Resource
win10v2004-20220812-en
General
-
Target
f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe
-
Size
73KB
-
MD5
22c41b7f6097a2ebd7d98b51ed8eb476
-
SHA1
696651a10bb922e4ff3cda08879a9789e79f2fb1
-
SHA256
f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013
-
SHA512
05ceca6abd4928f0dfdb189dcc33df171afb248bfa02be4299862608ea9b279c38c70bdec68a2c5ea593c3a66c4bb443e7198a7313ce1cfe8bfcefde289ecadb
-
SSDEEP
1536:pZm8hEnrtUqKpriZVLnocQ67frP8Q18sQn7jt7D:28hEnRUZrMLnoT6LrP828sQn7jt7D
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/files/0x00140000000054ab-55.dat family_gh0strat behavioral1/files/0x00140000000054ab-54.dat family_gh0strat behavioral1/files/0x00140000000054ab-61.dat family_gh0strat behavioral1/files/0x00140000000054ab-60.dat family_gh0strat behavioral1/files/0x00140000000054ab-59.dat family_gh0strat behavioral1/files/0x00140000000054ab-62.dat family_gh0strat -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1404 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\AirCmd.dll" f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe -
Deletes itself 1 IoCs
pid Process 1404 rundll32.exe -
Loads dropped DLL 5 IoCs
pid Process 1436 svchost.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\AirCmd.dll f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1436 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29 PID 1436 wrote to memory of 1404 1436 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe"C:\Users\Admin\AppData\Local\Temp\f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:956
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\aircmd.dll, kongqiwin7 .Net CLR2⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
PID:1404
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422
-
Filesize
65KB
MD52609e8dae402d982e7a6f0664416e48b
SHA149c4315ab9fdcea15338a51e0b3f91b13f6a3cc8
SHA256f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb
SHA5121d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422