Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 13:36
Behavioral task
behavioral1
Sample
646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
Resource
win10v2004-20220812-en
General
-
Target
646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
-
Size
111KB
-
MD5
32e81745a73a137f0f62dc6b72f14cc0
-
SHA1
6282016eb77734eef1e93c1cac40559969919fbb
-
SHA256
646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
-
SHA512
2e62ec8afdfbf457d2ace589f33776e7a835ae3f8cde8fbf33b081015c83a7ac954ad001e9a066a7b241f7875cb5bd51e7363b147372f06b45f4277288b5f397
-
SSDEEP
1536:i8uMs+Jc7yvqPbsm8QfLpcILGoka7V2uJp1VcM/vfh7EP8Z8IeIgD31:+N+ibsmUul0uJXVb/Xh7EP88IeIgD
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1408-132-0x0000000000400000-0x000000000041BDE0-memory.dmp family_gh0strat behavioral2/files/0x0007000000022f58-133.dat family_gh0strat behavioral2/memory/1408-134-0x0000000000400000-0x000000000041BDE0-memory.dmp family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\bits.dll" 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe -
Loads dropped DLL 1 IoCs
pid Process 1408 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bits.dll 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1408 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe 1408 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe 1408 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe 1408 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe"C:\Users\Admin\AppData\Local\Temp\646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:3272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD5706cfbbd62a3077393423ab04134728c
SHA1133ec633fefbf49171f159ec2457543857aa7b4b
SHA2567d77cfabcdddd9c54d94b87edd92550f4d924a0ed235addbea2c28782c6c61f2
SHA51286500d6b209f7c38194e92d3e6d7f1fb858030b887bb2a39685ef0974c7bed370ab8c37dfe44d6d8a230ee810c3431e0094e87287642c654ea85250490e5fbc0