Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

829cf4d4d0...JC.dll

windows7-x64

10

829cf4d4d0...JC.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2023, 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll

  • Size

    137KB

  • MD5

    829cf4d4d062b1fda42b43b4c00eab30

  • SHA1

    2d643c9cd1a30bfeb1b9d4642c2cda695dd15251

  • SHA256

    edd2d40dcf22ccda50923974cd012c5f4347f97193f80ba7703e00ec68182bde

  • SHA512

    c73525c66abc8c4d2276c9204185cb2ab697b2f3a5aeb46441b84eae0c480c27c458d085df95633c7a6294006d4eb710e8cb68ce7ffb13e1132cd34449b20c61

  • SSDEEP

    3072:DR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu+:O25GgFny61mra8

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Blocklisted process makes network request 1 IoCs
  • Registers new Print Monitor 2 TTPs 16 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 11 IoCs

    Detects file using ACProtect software.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\829cf4d4d062b1fda42b43b4c00eab30_dll32_JC.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Registers new Print Monitor
      • Sets service image path in registry
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe -k rundll32
        3⤵
        • Registers new Print Monitor
        • Sets service image path in registry
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 624
        3⤵
        • Program crash
        PID:4008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1900 -ip 1900
    1⤵
      PID:2420
    • C:\Windows\system32\Spoolsv.exe
      Spoolsv.exe
      1⤵
      • Registers new Print Monitor
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:4080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\AppPatch\ComBack.Dll
      Filesize

      137KB

      MD5

      f91ca8802f9e62f67dd4c7220a371fc5

      SHA1

      1ef55e8d8e6208e103ab81067e5f3da73563a4be

      SHA256

      560bfc45cd97f2881e8def5ceefd34cdaaf1e50a5869968370abbe52cc690c6a

      SHA512

      b490076e88731022a5cb7081503dc68e9864259dd3aad68fd559d6405a2c62728e386c7d51308d73a077c098a6e725cb8debd2a660b86c3559eedb7226c4c447

      Download Submit

    • C:\Windows\SysWOW64\com\comb.dll
      Filesize

      128B

      MD5

      e894f6b37b9f8c49fe47ef8b59ef7b70

      SHA1

      e1b7945c0b4bfeec84e19eba07fb865b3083b3c7

      SHA256

      33506206a593cafd9e8547fee0b098df654034223c395f1ab446227d99dc27fb

      SHA512

      48743f485253ae4e3c4618ddd657770b1c9a45f6c24a5e4abe77989b62caaa08443700646fa05094dd164a99f555c4cf70973df8d503fd980d91a85ce3df2d10

      Download Submit

    • C:\Windows\SysWOW64\com\comb.dll
      Filesize

      247B

      MD5

      0bbc8df4e2fec1ea844759a221695128

      SHA1

      fd40aceab2fd9500f97878499bedadf278f6194b

      SHA256

      3f0f04014c854740d397a6fa4d691f37c840e727be29b7160345ade808bbfab7

      SHA512

      c4a61c989298ee38a14dbf9a0245065942c1fa47427e7b972e052041ab4cac7a34b8f84c067d0471c364bc0c9f445670b63cfcf9a945bb5221dd8616e2caabd2

      Download Submit

    • C:\Windows\SysWOW64\com\comb.dll
      Filesize

      326B

      MD5

      bd34b6a9c8c18fcdf20943cf44eb258a

      SHA1

      1ec83775c94f57b6f656739ae3dfa5276d07d929

      SHA256

      6067631cb668c6146d2959c97e702879382dad8ea50e30fe94b62038ac5b7f2a

      SHA512

      5302fc24fcdb6a26e75543c288d078bb634bb836a59ac4bb810625a77bd3a55e95ea2b3a85e143ba46619be476114a119a2a9214d4bf5982cfb0ba0aacf7d61d

      Download Submit

    • memory/1900-6-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1900-7-0x00000000030B0000-0x00000000030CD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1900-12-0x00000000030B0000-0x00000000030CD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1900-11-0x00000000030B0000-0x00000000030CD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1900-5-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1900-15-0x00000000030B0000-0x00000000030CD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1900-35-0x0000000043E50000-0x0000000043E77000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1900-33-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3476-14-0x00000000008C0000-0x00000000008E3000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3476-28-0x0000000000BD0000-0x0000000000BED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3476-24-0x0000000000BD0000-0x0000000000BED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3476-27-0x0000000000BD0000-0x0000000000BED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3476-26-0x0000000000BD0000-0x0000000000BED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3476-34-0x0000000000A80000-0x0000000000AA7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3476-21-0x0000000000A80000-0x0000000000AA7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3476-13-0x0000000000A80000-0x0000000000AA7000-memory.dmp

      Filesize

      156KB

      Download