Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:02
Behavioral task
behavioral1
Sample
41732e6f57225097ba1b37342448b5800304ae3d9b6386d71b447001acb3aeac.dll
Resource
win7-20240708-en
General
-
Target
41732e6f57225097ba1b37342448b5800304ae3d9b6386d71b447001acb3aeac.dll
-
Size
430KB
-
MD5
306a4d89cf216db587cf74bd01a66e37
-
SHA1
cf6c6d3cfcc0fa141419dfc400fa5669c8da226a
-
SHA256
41732e6f57225097ba1b37342448b5800304ae3d9b6386d71b447001acb3aeac
-
SHA512
a10672fba25d36d2348ff7e9b98e23365a401a10dc2e12d1431e0aeb020aa1b7509c53062aedfe7953ed66d3c424394446f58829e33afecaecae3a5c217203e7
-
SSDEEP
12288:q9j8pWxJdNxnSJwu416c9y0wiL7s1T37AVu68VnogfN7oSy:q9I+dGwu13UVb+n3fN8
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4024-14-0x0000000000400000-0x0000000000543000-memory.dmp purplefox_rootkit behavioral2/memory/4024-13-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/4024-18-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4024-14-0x0000000000400000-0x0000000000543000-memory.dmp family_gh0strat behavioral2/memory/4024-13-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/4024-18-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Executes dropped EXE 1 IoCs
pid Process 992 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4416 set thread context of 4024 4416 rundll32.exe 85 -
resource yara_rule behavioral2/memory/4416-0-0x0000000010000000-0x00000000100FE000-memory.dmp upx behavioral2/memory/4024-2-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-1-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-9-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-7-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-3-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-8-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-6-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-10-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral2/memory/4024-14-0x0000000000400000-0x0000000000543000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\NetMeeting\svchost.exe svchost.exe File opened for modification C:\Program Files (x86)\NetMeeting\svchost.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3196 cmd.exe 3488 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3488 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4024 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4416 5080 rundll32.exe 84 PID 5080 wrote to memory of 4416 5080 rundll32.exe 84 PID 5080 wrote to memory of 4416 5080 rundll32.exe 84 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4416 wrote to memory of 4024 4416 rundll32.exe 85 PID 4024 wrote to memory of 3196 4024 svchost.exe 87 PID 4024 wrote to memory of 3196 4024 svchost.exe 87 PID 4024 wrote to memory of 3196 4024 svchost.exe 87 PID 3196 wrote to memory of 3488 3196 cmd.exe 89 PID 3196 wrote to memory of 3488 3196 cmd.exe 89 PID 3196 wrote to memory of 3488 3196 cmd.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41732e6f57225097ba1b37342448b5800304ae3d9b6386d71b447001acb3aeac.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41732e6f57225097ba1b37342448b5800304ae3d9b6386d71b447001acb3aeac.dll,#12⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\svchost.exesvchost.exe fagahawhawhgawccc3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\svchost.exe > nul4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3488
-
-
-
-
-
C:\Program Files (x86)\NetMeeting\svchost.exe"C:\Program Files (x86)\NetMeeting\svchost.exe" -auto1⤵
- Executes dropped EXE
PID:992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b7c999040d80e5bf87886d70d992c51e
SHA1a8ed9a51cc14ccf99b670e60ebbc110756504929
SHA2565c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e
SHA51271ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309