Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

285574f2af...d9.exe

windows7-x64

10

285574f2af...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2022, 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    285574f2af1fee8009e412086a380901bda19e556ab0668517cd899935c54fd9.exe

  • Size

    170KB

  • MD5

    e52837d708ea63b059be2b6a2808a6ce

  • SHA1

    0ecd5098f0e1559ae8fb1434c987e710ad09c14b

  • SHA256

    285574f2af1fee8009e412086a380901bda19e556ab0668517cd899935c54fd9

  • SHA512

    4e9d77a70426476fad82fa6d827504c32d3b02c8020780e5587f3312a1e70f9fe1d7a05cdda2380e936adee8621710f41f1b1f3d195ef4e1e85d7e6a4bbe43b8

  • SSDEEP

    3072:54fSWcZQ5wsMCkE847UR4dbZvwb/PTdvieqove:5m7Wa8qmCZvwbjgeqoW

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\285574f2af1fee8009e412086a380901bda19e556ab0668517cd899935c54fd9.exe
    "C:\Users\Admin\AppData\Local\Temp\285574f2af1fee8009e412086a380901bda19e556ab0668517cd899935c54fd9.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:532
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1333100.dll
    Filesize

    112KB

    MD5

    851b44c29b52abbccffe8614b3467f16

    SHA1

    ecbce1a3a910cf39274525594f6d3a9a72aaa5e7

    SHA256

    11391efc3613af1a12993195168eb0a9a58858b5ce679768d60a281cb9ab6c31

    SHA512

    e0de7a25323de88bb665dadd671bff3a80a34cf19057c04c4373382cd1d5e11310c97e4541659baa7e4ace020a2440ba548f4fa0865b2032739aaa16a41e5acf

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    117B

    MD5

    bf224260290b1b5490e919120e38e95d

    SHA1

    e3d193f2e1e4add519105ad3e7a160fe78a28777

    SHA256

    57264bc0db8a0c04fd76a73242895b187df03cc43b438764536a4f637f70f604

    SHA512

    589efb772c28ef56788226485421a9331f80c929edc7c9fe137f2577fdf91b4f231915129e286fce3734a07715318fc22d3168066817932b8332b2c0e20c6f78

    Download Submit

  • \??\c:\program files (x86)\aexc\rgsyknvkv.pic
    Filesize

    7.8MB

    MD5

    529628a89b76977796348088fa794a3f

    SHA1

    e7d6d55b1e37d3d68a5c21e746081fac3245de71

    SHA256

    87fd2a71f36c03bc0fdd6c11423dfe0de8fb8cad064a2fce761eb0b2fc05cb23

    SHA512

    eb24f1efa0275af8c2897612e597667c99863c4ef40c266c7448fb9b08472bd4ddd19df6e1024a3b1fed3fbb39c529f8407b3935b8a2156f79e63e791ca31b91

    Download Submit

  • \Program Files (x86)\Aexc\Rgsyknvkv.pic
    Filesize

    7.8MB

    MD5

    529628a89b76977796348088fa794a3f

    SHA1

    e7d6d55b1e37d3d68a5c21e746081fac3245de71

    SHA256

    87fd2a71f36c03bc0fdd6c11423dfe0de8fb8cad064a2fce761eb0b2fc05cb23

    SHA512

    eb24f1efa0275af8c2897612e597667c99863c4ef40c266c7448fb9b08472bd4ddd19df6e1024a3b1fed3fbb39c529f8407b3935b8a2156f79e63e791ca31b91

    Download Submit

  • memory/532-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download