Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

e3d9f812f2...48.exe

windows7-x64

10

e3d9f812f2...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe

  • Size

    39KB

  • MD5

    3697872eb74777ad7075dd6cd529edc0

  • SHA1

    217f4af3aea4ad2ee02c1bb53e3223f9f18506c1

  • SHA256

    e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648

  • SHA512

    01d3984dbaa07a5528c2e61b65a0b01292bd9106d319d67a02326dd0487be2924bb0c3e7b0d886b58aac1e0056db14836aabd4cd80acf8b2e3fa3623187960eb

  • SSDEEP

    768:JKqq1uaVze+uFNSlcUkFR1Df0ermMUXIisUaAsJ/APII:JKqauaVzebGcD/f+9X/WAh

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5084
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\760000.dll
    Filesize

    69KB

    MD5

    47e638ba159126d58216f99e640b8ea1

    SHA1

    46816e8734562a5fd7a9aecbec9661f92a624fbe

    SHA256

    5c16257ee22ccb24890b7330e3d2de3e412ad2968e0c70280a22f338e7c0daac

    SHA512

    07f84228958e2f396f864fcc1c7772087d74e29286f9c327340e53cf459350ed0d9e5b6e1c4ea0eff0cf40bf302b00f1f2e8bc3da286a0e4f674ec84292f44c9

    Download Submit

  • C:\760000.dll
    Filesize

    69KB

    MD5

    47e638ba159126d58216f99e640b8ea1

    SHA1

    46816e8734562a5fd7a9aecbec9661f92a624fbe

    SHA256

    5c16257ee22ccb24890b7330e3d2de3e412ad2968e0c70280a22f338e7c0daac

    SHA512

    07f84228958e2f396f864fcc1c7772087d74e29286f9c327340e53cf459350ed0d9e5b6e1c4ea0eff0cf40bf302b00f1f2e8bc3da286a0e4f674ec84292f44c9

    Download Submit

  • C:\Program Files (x86)\Iefg\Nefghijkl.pic
    Filesize

    5.4MB

    MD5

    9f3da639b7930a9b92c87e28ee824907

    SHA1

    9a97bd904ae0cbe5074238d83f029bcbd6f29ddd

    SHA256

    56ba2c4e071fb4341cb81876f3ce1e10fe7ec9398186d0a51289188d8827c102

    SHA512

    8aeadcac8bd63f4794befeb3ec837d9fe7a5e2d5a4360ae698dae1168468ef3335da80a355cc733b47133bfcbe628991807abeb1c9ffd517da60fdbfb8295a85

    Download Submit

  • C:\WinWall64.bmp
    Filesize

    116B

    MD5

    f21ad185a473ad6ea751d12dd8f95bd1

    SHA1

    36140cb443c822deb94f1d00b7b2bbcaa33fab58

    SHA256

    8affd040a29140d2785315c13c2b42b4b05adf185f459d84cad25c68efb2248b

    SHA512

    459b717026a924da07fbec75b2576481e9f5d951024c617c52ece80e65fad735b3f125b65690c4589cdf7b7ed49057a1873f3a96cceef69bcd2e3468e2be885b

    Download Submit

  • \??\c:\program files (x86)\iefg\nefghijkl.pic
    Filesize

    5.4MB

    MD5

    9f3da639b7930a9b92c87e28ee824907

    SHA1

    9a97bd904ae0cbe5074238d83f029bcbd6f29ddd

    SHA256

    56ba2c4e071fb4341cb81876f3ce1e10fe7ec9398186d0a51289188d8827c102

    SHA512

    8aeadcac8bd63f4794befeb3ec837d9fe7a5e2d5a4360ae698dae1168468ef3335da80a355cc733b47133bfcbe628991807abeb1c9ffd517da60fdbfb8295a85

    Download Submit

  • memory/5084-132-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download