Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    44s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27/04/2022, 01:17 UTC

General

  • Target

    244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe

  • Size

    184KB

  • MD5

    0a56a968a7f1c3d265acf38740a93d38

  • SHA1

    bf17dcba21603a6681f0f9bbec81d356e33d9029

  • SHA256

    244a9c5318e98599c60f3dacbff48f4f0a898ccda29ad8a6a8625e3cfe0dbc22

  • SHA512

    81d90036885ec7389f146bef660a8553a76179972ddffa5e001f74104165166cf0aad2355db6c80575b26c7b5012aea973470f02913ba128c28e71449f03919f

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic

    suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic

  • suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102

    suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102

  • Sets DLL path for service in the registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe
    "C:\Users\Admin\AppData\Local\Temp\244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1680
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

  • flag-us
    DNS
    chaofeng1.f3322.org
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    chaofeng1.f3322.org
    IN A
    Response
    chaofeng1.f3322.org
    IN A
    171.38.77.97
  • 171.38.77.97:42419
    chaofeng1.f3322.org
    netsvcs
    152 B
    120 B
    3
    3
  • 171.38.77.97:42420
    chaofeng1.f3322.org
    netsvcs
    152 B
    120 B
    3
    3
  • 171.38.77.97:42421
    chaofeng1.f3322.org
    netsvcs
    1.1kB
    458 B
    11
    9
  • 8.8.8.8:53
    chaofeng1.f3322.org
    dns
    netsvcs
    65 B
    81 B
    1
    1

    DNS Request

    chaofeng1.f3322.org

    DNS Response

    171.38.77.97

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

    Filesize

    148KB

    MD5

    e46805ba07872d3ce3153e942e625865

    SHA1

    00fa01edafea33663aea78dec6e87570222d56a2

    SHA256

    fcfb65748ba59e37e962618a484087b43da6be9d787f9d73b156d5f14ffedbd3

    SHA512

    44b0eee1c7818cf02ef4da94ea612981ab97a31e3575971bd543b6a61deece62a428eca33e554e311ff599d596117847a422753e3a393c1ae68ddad5850131cf

  • \Windows\SysWOW64\ntfastuserswitchingcompatibility.dll

    Filesize

    148KB

    MD5

    e46805ba07872d3ce3153e942e625865

    SHA1

    00fa01edafea33663aea78dec6e87570222d56a2

    SHA256

    fcfb65748ba59e37e962618a484087b43da6be9d787f9d73b156d5f14ffedbd3

    SHA512

    44b0eee1c7818cf02ef4da94ea612981ab97a31e3575971bd543b6a61deece62a428eca33e554e311ff599d596117847a422753e3a393c1ae68ddad5850131cf

  • memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.