Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 02:32
Behavioral task
behavioral1
Sample
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll
Resource
win7-20220812-en
General
-
Target
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll
-
Size
101KB
-
MD5
f423bd59ca51af040094b88af5fb9152
-
SHA1
cdcbd1d1d96acf939789c0376d0144ef30eef599
-
SHA256
3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a
-
SHA512
82a110eeaa45fc3bc7dc480f3e394685a57b6dca749837c7158879a13b57c255f7766a54b15b8ff02c69ed4375eda47c15ca9cfa9759837154cb505a7512d66b
-
SSDEEP
3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuw45iG:JJVGpxx9b3wZuw44G
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000022e0b-133.dat family_gh0strat behavioral2/files/0x000a000000022e0b-134.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 4824 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg rundll32.exe File created C:\Windows\FileName.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe 4824 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2748 rundll32.exe Token: SeRestorePrivilege 2748 rundll32.exe Token: SeBackupPrivilege 2748 rundll32.exe Token: SeRestorePrivilege 2748 rundll32.exe Token: SeBackupPrivilege 2748 rundll32.exe Token: SeRestorePrivilege 2748 rundll32.exe Token: SeBackupPrivilege 2748 rundll32.exe Token: SeRestorePrivilege 2748 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2748 1044 rundll32.exe 79 PID 1044 wrote to memory of 2748 1044 rundll32.exe 79 PID 1044 wrote to memory of 2748 1044 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4824
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.6MB
MD53fd7fd3385e64bc170a095c2afa4eecd
SHA1892e1432d9d2c98d30826bca3dade01ce0d911fc
SHA256161a9b7b98516f01a4e45ca4c5857465c95b0548831b4002c08441d8d93819d7
SHA5129da47037df5872905cf7052fda5a8187637383f0355053a096085ed10680d2d5abb559d24bd6d807dd1b510d9e260a536f1c14067c5ae1c4f4ad85de1ed06f5b
-
Filesize
15.6MB
MD53fd7fd3385e64bc170a095c2afa4eecd
SHA1892e1432d9d2c98d30826bca3dade01ce0d911fc
SHA256161a9b7b98516f01a4e45ca4c5857465c95b0548831b4002c08441d8d93819d7
SHA5129da47037df5872905cf7052fda5a8187637383f0355053a096085ed10680d2d5abb559d24bd6d807dd1b510d9e260a536f1c14067c5ae1c4f4ad85de1ed06f5b