Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 02:32
Behavioral task
behavioral1
Sample
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll
Resource
win7-20220812-en
General
-
Target
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll
-
Size
101KB
-
MD5
f423bd59ca51af040094b88af5fb9152
-
SHA1
cdcbd1d1d96acf939789c0376d0144ef30eef599
-
SHA256
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a
-
SHA512
82a110eeaa45fc3bc7dc480f3e394685a57b6dca749837c7158879a13b57c255f7766a54b15b8ff02c69ed4375eda47c15ca9cfa9759837154cb505a7512d66b
-
SSDEEP
3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuw45iG:JJVGpxx9b3wZuw44G
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000d00000001267a-56.dat family_gh0strat -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg rundll32.exe File created C:\Windows\FileName.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe 784 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28 PID 1112 wrote to memory of 1788 1112 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Suspicious behavior: EnumeratesProcesses
PID:784
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD52df410a776568b6cebf7e85895774a30
SHA166e1659f811ecd330887270a139c748e9d23ab9d
SHA25601a2a84721040c7ac71f24ec6a514c02b68814dbed5e33b9e6a7f5a7c2dfa0be
SHA5124ee8d0e2dba9a17bf5ceae348dc1665546a728021feef80d3dcdfec14113f153fed9e47339a322933eaaf794b6b1572fdf4e6e14e797a3bbe9a3c24f27ee5487