Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6aaf784991...a8.exe

windows7-x64

10

6aaf784991...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe

  • Size

    141KB

  • MD5

    6d8d48afc3782a3007d0b40c0f2b9252

  • SHA1

    d33e622dd1e846c9fb4fa866ad126d6daa021fc4

  • SHA256

    6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8

  • SHA512

    76bc851202d0fb7b5640ae7a3598b478dbe907bcc77607e626caa3e8a1460563dd3db5a3e41d01c31c2f70beba610a715d8b03161464eb325a5f5087c2a95955

  • SSDEEP

    3072:PmkFSPOOECpVKTbp3WpnAzDhZFYYJOGS5XzZQ82pCi0z:9zTb+AvNYIq5DZQhoZ

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe
    "C:\Users\Admin\AppData\Local\Temp\6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1760
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\windows\Prefetch1276200.dll
    Filesize

    130KB

    MD5

    5f7dcf4b70048570003b6244dd2f6de1

    SHA1

    9fe23c43da8b0f225d6dd0682fc2c90deacf89ec

    SHA256

    4a54b6412b98fa5b5bb099131583f703a1f9e972f2df277d46da75ccf3ae790c

    SHA512

    1664867208e2627e9791dc3975c14b97d3aaa9cda4c72759296db5ee718d6a98f2acff7830263902be4481b3eddadbda8421fcecb4f6d70f75e47c0775d16a00

    Download Submit

  • \??\c:\Program Files\NT_Path.gif
    Filesize

    133B

    MD5

    17e8cb3cd333e162f3ec1521e3643aba

    SHA1

    98ab0d8052a13eb4ef43847b1508cd314e527e1a

    SHA256

    765a10e5412d6d1c06df1474081fd807bc7d5f8706727a7d142828603a5385d7

    SHA512

    907f572bcd41afd85fbe1e8adc2c91fe25ccfad46a897041e544e9d4ba17891e8df2f9195b720d8988903399486e79d64f6f89adf529d5a09153550c50752642

    Download Submit

  • \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp
    Filesize

    17.2MB

    MD5

    16a94b409b87ca64740f8180b4b6f143

    SHA1

    009a27545fb37539d0b422e48e597a144a3acaa4

    SHA256

    e35a217d4c8b9f4aca09c003cc91bbf0103e0bf01cd1267ecebc31442b9709e1

    SHA512

    9fc88bdae9d2db03d1b30b499486e05202fec0710e6f25c5fdc2b0d065a600b2c23c09658858f34252a2a8349c48e2abba104aa62f2a73ba1c2438bd282d6ce1

    Download Submit

  • \Program Files (x86)\Uqrs\Aqrstuvwx.bmp
    Filesize

    17.2MB

    MD5

    16a94b409b87ca64740f8180b4b6f143

    SHA1

    009a27545fb37539d0b422e48e597a144a3acaa4

    SHA256

    e35a217d4c8b9f4aca09c003cc91bbf0103e0bf01cd1267ecebc31442b9709e1

    SHA512

    9fc88bdae9d2db03d1b30b499486e05202fec0710e6f25c5fdc2b0d065a600b2c23c09658858f34252a2a8349c48e2abba104aa62f2a73ba1c2438bd282d6ce1

    Download Submit

  • memory/1760-54-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

    Download