Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 01:55
Behavioral task
behavioral1
Sample
845bf1354caa7b63ebbc018675c664f7fdc5d62c8ca54a1b9666a5e6fdbbac04.dll
Resource
win7-20221111-en
General
-
Target
845bf1354caa7b63ebbc018675c664f7fdc5d62c8ca54a1b9666a5e6fdbbac04.dll
-
Size
124KB
-
MD5
3dc3b47082e3ca911c9a81182a4b71c9
-
SHA1
90ecb80a910ed2e55f8c45ae65a729820a72fbd2
-
SHA256
845bf1354caa7b63ebbc018675c664f7fdc5d62c8ca54a1b9666a5e6fdbbac04
-
SHA512
996ef53596cade0106a2bd15c57c02121128d17b536356784361e632dd3fae0cce6b38aa62e5732a97fbe884b738c171c4311988ea2d8f2b963dd7cc277c92ae
-
SSDEEP
3072:qRn1vFHCqcDVvR7p0+8u9NMK+kl5wHrmXmLeout:IDHRciu9NMrkbwHgceoS
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000e000000012308-56.dat family_gh0strat behavioral1/files/0x000e000000012308-57.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 1176 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif rundll32.exe File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif rundll32.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1668 rundll32.exe Token: SeRestorePrivilege 1668 rundll32.exe Token: SeBackupPrivilege 1668 rundll32.exe Token: SeRestorePrivilege 1668 rundll32.exe Token: SeBackupPrivilege 1668 rundll32.exe Token: SeRestorePrivilege 1668 rundll32.exe Token: SeBackupPrivilege 1668 rundll32.exe Token: SeRestorePrivilege 1668 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28 PID 1352 wrote to memory of 1668 1352 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\845bf1354caa7b63ebbc018675c664f7fdc5d62c8ca54a1b9666a5e6fdbbac04.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\845bf1354caa7b63ebbc018675c664f7fdc5d62c8ca54a1b9666a5e6fdbbac04.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1176
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD54231e97b6584185ef3f53662bcbb7fcb
SHA1de9bf1205b6fd2accd8ddcaf77576939c1f1f31f
SHA256370c42c399c3539f9b5ccac39d074fe943af5b4087f00c6c5685ed7035ea1284
SHA512dd28816f57637afbf510781617fb18b6f35573e52f6c98c5cae908517659d9898b4be5ccae7e74a09c2f4d77e81329eb81cdb254b6dc902141bbb332921d1636
-
Filesize
5.7MB
MD54231e97b6584185ef3f53662bcbb7fcb
SHA1de9bf1205b6fd2accd8ddcaf77576939c1f1f31f
SHA256370c42c399c3539f9b5ccac39d074fe943af5b4087f00c6c5685ed7035ea1284
SHA512dd28816f57637afbf510781617fb18b6f35573e52f6c98c5cae908517659d9898b4be5ccae7e74a09c2f4d77e81329eb81cdb254b6dc902141bbb332921d1636