Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 17:58
Behavioral task
behavioral1
Sample
99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll
Resource
win7-20220812-en
General
-
Target
99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll
-
Size
932KB
-
MD5
613c1b13ccc2e6f798c54c1acf053880
-
SHA1
5535fb1b8f77b4bb9dd19aeb99f8ca78dca67bc0
-
SHA256
99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc
-
SHA512
92a38c2cd4773b737266c31742dd42e32cd086f0652767cdac4ed562faa26e9fcff8d8cb3426a37cc3b5d6d7dee76b9fec10b592c9d1518f7ad340b77ac47d7e
-
SSDEEP
12288:nmv2qPjNvAUUGu7vNOjwQCEGnSe/QdF/nDAuWkgUrNgnvvP9bcMrhtMmyKz2J8fP:nmvvjNFqg8x/Qd5JgUSnHx31ahKz2a
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral2/memory/2476-134-0x0000000010000000-0x000000001025A000-memory.dmp family_gh0strat behavioral2/files/0x0009000000022e4e-137.dat family_gh0strat behavioral2/files/0x0009000000022e4e-138.dat family_gh0strat behavioral2/memory/2476-139-0x0000000010000000-0x000000001025A000-memory.dmp family_gh0strat behavioral2/files/0x0008000000022e4f-140.dat family_gh0strat behavioral2/files/0x000b000000022e66-141.dat family_gh0strat behavioral2/files/0x000b000000022e66-142.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 4768 360DL1.exe -
resource yara_rule behavioral2/memory/2476-133-0x0000000010000000-0x000000001025A000-memory.dmp vmprotect behavioral2/memory/2476-134-0x0000000010000000-0x000000001025A000-memory.dmp vmprotect behavioral2/memory/2476-139-0x0000000010000000-0x000000001025A000-memory.dmp vmprotect -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 4768 360DL1.exe 5104 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg 360DL1.exe File created C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg 360DL1.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3176 2476 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4768 360DL1.exe Token: SeRestorePrivilege 4768 360DL1.exe Token: SeBackupPrivilege 4768 360DL1.exe Token: SeRestorePrivilege 4768 360DL1.exe Token: SeBackupPrivilege 4768 360DL1.exe Token: SeRestorePrivilege 4768 360DL1.exe Token: SeBackupPrivilege 4768 360DL1.exe Token: SeRestorePrivilege 4768 360DL1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2476 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2476 1952 rundll32.exe 79 PID 1952 wrote to memory of 2476 1952 rundll32.exe 79 PID 1952 wrote to memory of 2476 1952 rundll32.exe 79 PID 2476 wrote to memory of 4768 2476 rundll32.exe 82 PID 2476 wrote to memory of 4768 2476 rundll32.exe 82 PID 2476 wrote to memory of 4768 2476 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll,#12⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\360DL1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 8003⤵
- Program crash
PID:3176
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2476 -ip 24761⤵PID:3980
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5104
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5d5976407553b6f09aa2463af31b0767d
SHA17d28d0f7b526de1becbd81821abb7fae20c523d0
SHA256dd29ab4de43da4281cbd8e146761abcdddb071f366309603fc5b26fa6a8a589a
SHA5120a81dc1fb0e164a189b6aa60f7d1c97d44deac4336000b1e6500d264be01cc499f535ef28ef87eaf5d0fcae4d99bb89441fdf7aa3916861541fec6930ad75701
-
Filesize
114KB
MD5ae9006a7c112f2149bdbba71b45b0327
SHA1263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba
SHA256c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102
SHA51268b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd
-
Filesize
114KB
MD5ae9006a7c112f2149bdbba71b45b0327
SHA1263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba
SHA256c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102
SHA51268b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd
-
Filesize
106KB
MD5d3db8e3614f714ea0a01f0afeb4d6992
SHA1277d3dfcaa9387700fec70ffc390e0f402aa17ee
SHA256901d8b8ccbe592f507bf4c6130841fb863e7a189a504f1e8ca69b508dc78ba1f
SHA5126b9f991a7d58c11b271e194abec927b728c5a6906441547b050b120bde9399459e5dacca0b3c29b1bf838920595f17eac59a3f369d3d1eac3599c78fe3712156
-
Filesize
1.7MB
MD5d5976407553b6f09aa2463af31b0767d
SHA17d28d0f7b526de1becbd81821abb7fae20c523d0
SHA256dd29ab4de43da4281cbd8e146761abcdddb071f366309603fc5b26fa6a8a589a
SHA5120a81dc1fb0e164a189b6aa60f7d1c97d44deac4336000b1e6500d264be01cc499f535ef28ef87eaf5d0fcae4d99bb89441fdf7aa3916861541fec6930ad75701