Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe
Resource
win7-20240903-en
General
-
Target
259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe
-
Size
206KB
-
MD5
82c28618b901e2b1c14fc8dbecd5011e
-
SHA1
1cfecdad59a26c6a8c44d2c81ac4907764385ef9
-
SHA256
259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8
-
SHA512
b6c177d5146b9a388f2d356d3ccbd460877c0cd1fb7984d31c073d6fc3f14971d40174bf66b43046def43912d89ee4c8e121f8b98c3a58215ff5abd32d2c4736
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF9:X2vnSwjaOcADw9cUeCOf9
Malware Config
Extracted
gh0strat
107.163.241.193:6520
http://107.163.241.181:16300/
http://107.163.241.182:12354/login.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Signatures
-
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 1848 sltbl.exe -
Executes dropped EXE 2 IoCs
pid Process 1848 sltbl.exe 4688 tdv.exe -
Loads dropped DLL 1 IoCs
pid Process 4688 tdv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\rhpwh\\tdv.exe \"c:\\Program Files\\rhpwh\\tdvqi.dll\",Compliance" tdv.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: tdv.exe File opened (read-only) \??\p: tdv.exe File opened (read-only) \??\t: tdv.exe File opened (read-only) \??\r: tdv.exe File opened (read-only) \??\s: tdv.exe File opened (read-only) \??\u: tdv.exe File opened (read-only) \??\w: tdv.exe File opened (read-only) \??\z: tdv.exe File opened (read-only) \??\a: tdv.exe File opened (read-only) \??\b: tdv.exe File opened (read-only) \??\h: tdv.exe File opened (read-only) \??\j: tdv.exe File opened (read-only) \??\l: tdv.exe File opened (read-only) \??\o: tdv.exe File opened (read-only) \??\q: tdv.exe File opened (read-only) \??\v: tdv.exe File opened (read-only) \??\x: tdv.exe File opened (read-only) \??\y: tdv.exe File opened (read-only) \??\e: tdv.exe File opened (read-only) \??\g: tdv.exe File opened (read-only) \??\i: tdv.exe File opened (read-only) \??\k: tdv.exe File opened (read-only) \??\m: tdv.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 tdv.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\rhpwh\tdv.exe sltbl.exe File opened for modification \??\c:\Program Files\rhpwh sltbl.exe File created \??\c:\Program Files\rhpwh\tdvqi.dll sltbl.exe File created \??\c:\Program Files\rhpwh\tdv.exe sltbl.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sltbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3816 cmd.exe 4772 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tdv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tdv.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4772 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4688 tdv.exe 4688 tdv.exe 4688 tdv.exe 4688 tdv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4688 tdv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 544 259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe 1848 sltbl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 544 wrote to memory of 3816 544 259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe 85 PID 544 wrote to memory of 3816 544 259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe 85 PID 544 wrote to memory of 3816 544 259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe 85 PID 3816 wrote to memory of 4772 3816 cmd.exe 87 PID 3816 wrote to memory of 4772 3816 cmd.exe 87 PID 3816 wrote to memory of 4772 3816 cmd.exe 87 PID 3816 wrote to memory of 1848 3816 cmd.exe 93 PID 3816 wrote to memory of 1848 3816 cmd.exe 93 PID 3816 wrote to memory of 1848 3816 cmd.exe 93 PID 1848 wrote to memory of 4688 1848 sltbl.exe 94 PID 1848 wrote to memory of 4688 1848 sltbl.exe 94 PID 1848 wrote to memory of 4688 1848 sltbl.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe"C:\Users\Admin\AppData\Local\Temp\259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sltbl.exe "C:\Users\Admin\AppData\Local\Temp\259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\sltbl.exeC:\Users\Admin\AppData\Local\Temp\\sltbl.exe "C:\Users\Admin\AppData\Local\Temp\259050ebd3da9642b6e9a26d157f1a40ce133c0f433c19f30e5b34bfb8227ee8.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\Program Files\rhpwh\tdv.exe"c:\Program Files\rhpwh\tdv.exe" "c:\Program Files\rhpwh\tdvqi.dll",Compliance C:\Users\Admin\AppData\Local\Temp\sltbl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
141KB
MD58a8e001fb85b536c8f12386483a13b03
SHA1d758dc32b7d47f64668c411e20876d9844461f50
SHA25609ea0a55ab69e59d80aa9e344e879d93ee3256c8c82d7e9003be625b70e9e08d
SHA5126aaf04c3478129962652e7ab2e0ae786ba32f7ae864c680b385b3e5066bccacfb147b25cf518f10ae59708be7572e28932e5a7299de0d5799b59842e386882b2
-
Filesize
207KB
MD55f7dde56b6c6d2ad725fcac0026ea0e8
SHA166b8570298e4227e32688c6a8e7b3dea8182cd0c
SHA25646ff5bbb01a0e362a2aae6c6eef7ca89a35b5baf870b6fcf866a1ae7d94f572b
SHA512da96caff11d283da19780a27ee88fc2aff2d014627fd44a57b4ff78546f843f3bbf0fc9520dff792b0dab9ef02a3e221e49b476e48a76ee8148c395124568964