Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe
Resource
win10v2004-20221111-en
General
-
Target
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe
-
Size
280KB
-
MD5
a4e5787613503c79d51ccd921ef47fa4
-
SHA1
f3a3b5a54aa6243bf7cf518daecbc1662c355cdf
-
SHA256
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2
-
SHA512
15ef18c7c324451ed24b6f0d3dcb7d3c41019471a04c1d16577f80d41869f78173d70879b537a646f49b0b49adbbda8e0b46e5a7a1a49fda0d32f641ae9bd193
-
SSDEEP
6144:VR2zrtk4tfVryzVnnmt/cIl9qswB9bJ6dWbnziPcE1kQnd9frAALaFlez:Ontk45oJmt/cI6sAN0WC0zQndFrLky
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000022e18-142.dat family_gh0strat behavioral2/files/0x0006000000022e18-141.dat family_gh0strat behavioral2/files/0x0006000000022e18-144.dat family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 3164 rtad.exe 3388 BaiBi.exe 4936 Thunder.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nT1V9BbI\Parameters\ServiceDll = "C:\\Windows\\system32\\KcmlvE.pic" Thunder.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation BaiBi.exe -
Loads dropped DLL 2 IoCs
pid Process 4296 svchost.exe 2680 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\KcmlvE.pic Thunder.exe File opened for modification C:\Windows\SysWOW64\system.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1664 4296 WerFault.exe 88 -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0009000000022e09-135.dat nsis_installer_2 behavioral2/files/0x0009000000022e09-136.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 rtad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID rtad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs rtad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 rtad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID rtad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs rtad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 4936 Thunder.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe 2680 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 4936 Thunder.exe Token: SeRestorePrivilege 4936 Thunder.exe Token: SeDebugPrivilege 4296 svchost.exe Token: SeBackupPrivilege 2680 rundll32.exe Token: SeSecurityPrivilege 2680 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2680 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3268 wrote to memory of 3164 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 83 PID 3268 wrote to memory of 3164 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 83 PID 3268 wrote to memory of 3164 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 83 PID 3268 wrote to memory of 3388 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 84 PID 3268 wrote to memory of 3388 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 84 PID 3268 wrote to memory of 3388 3268 3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe 84 PID 3388 wrote to memory of 4936 3388 BaiBi.exe 86 PID 3388 wrote to memory of 4936 3388 BaiBi.exe 86 PID 3388 wrote to memory of 4936 3388 BaiBi.exe 86 PID 4296 wrote to memory of 2680 4296 svchost.exe 89 PID 4296 wrote to memory of 2680 4296 svchost.exe 89 PID 4296 wrote to memory of 2680 4296 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe"C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\rtad.exe"C:\Users\Admin\AppData\Local\Temp\rtad.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\BaiBi.exe"C:\Users\Admin\AppData\Local\Temp\BaiBi.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\Thunder.exe"C:\Users\Admin\AppData\Local\Temp\Thunder.exe"3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k nT1V9BbI1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\kcmlve.pic,main nT1V9BbI2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 5082⤵
- Program crash
PID:1664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4296 -ip 42961⤵PID:3548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD54eb9c6c640cbb8c0bab63577a3e973b8
SHA19b567e2048880c09a71cf04e07c875f7a8fa59f9
SHA256ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099
SHA512eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925
-
Filesize
218KB
MD54eb9c6c640cbb8c0bab63577a3e973b8
SHA19b567e2048880c09a71cf04e07c875f7a8fa59f9
SHA256ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099
SHA512eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925
-
Filesize
5.1MB
MD5a3d802c99ceaa1128c90c8e95ad5c5f7
SHA1fc89e9caa359932c1619f85f41b7173ce40f97a1
SHA256c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4
SHA512dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3
-
Filesize
5.1MB
MD5a3d802c99ceaa1128c90c8e95ad5c5f7
SHA1fc89e9caa359932c1619f85f41b7173ce40f97a1
SHA256c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4
SHA512dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3
-
Filesize
62KB
MD5950219f287ae876fbfdcc931b103dfe9
SHA165715d90dc12e821e7bf435280bcc0456558b2e9
SHA256ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc
SHA51232c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29
-
Filesize
62KB
MD5950219f287ae876fbfdcc931b103dfe9
SHA165715d90dc12e821e7bf435280bcc0456558b2e9
SHA256ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc
SHA51232c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a