Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e15e51d84f...bd.dll

windows7-x64

10

e15e51d84f...bd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    198s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll

  • Size

    133KB

  • MD5

    b8f6ee37da1463c2c68c45eccb8c3270

  • SHA1

    ab96af06f7f0d8a4499405ca014dd0120432a297

  • SHA256

    e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd

  • SHA512

    9f2808d474e807d95b366a7683ec5186636cef444b2a36164d8c51f9b9bc61652afa38bf6cafa4791b111d59f8f7a34735694bfd1c49092743089c127fef4545

  • SSDEEP

    3072:wixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcdzJO:BANBxIxh0u4TSg7vECzcR0

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e15e51d84f7bb087d0d9722d3ff7d376dc9469f490cdd7424b0992720b276ebd.dll,#1
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Bwxy\Gwxyabcde.gif
    Filesize

    14.5MB

    MD5

    7c0f6c040d1f9f1d628006c0715ace86

    SHA1

    3a00c19c090adb171716fc794247f235be71f82f

    SHA256

    f8ec03c6930cf7582307ef37e7a0c5960949d1b3bc1a3586aaf790e906af356e

    SHA512

    a940a4161881be5d7940a170cfc93bf1a5251667ae964d556fc511f44ced152b1787685ff35e8dc59613c4124899c5e2d597c6a8d980402ab68ab9cb6bd3b5e1

    Download Submit

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif
    Filesize

    14.5MB

    MD5

    7c0f6c040d1f9f1d628006c0715ace86

    SHA1

    3a00c19c090adb171716fc794247f235be71f82f

    SHA256

    f8ec03c6930cf7582307ef37e7a0c5960949d1b3bc1a3586aaf790e906af356e

    SHA512

    a940a4161881be5d7940a170cfc93bf1a5251667ae964d556fc511f44ced152b1787685ff35e8dc59613c4124899c5e2d597c6a8d980402ab68ab9cb6bd3b5e1

    Download Submit