Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e1691bda32...6b.exe

windows7-x64

10

e1691bda32...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe

  • Size

    156KB

  • MD5

    638d922d3a1acb3756dda409b8b50700

  • SHA1

    6c416852f4c750931281b76fa6e69a9996da7882

  • SHA256

    e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b

  • SHA512

    a5e400a843be5b102be00a5fb30f96970d7b18f2f2259fadd2c6e721461ceacd0239737f05bfae6348887d03e5c81f89505e28cd75d09e5c6240607acb325d6a

  • SSDEEP

    3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05Kui+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05KuDIk

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
    "C:\Users\Admin\AppData\Local\Temp\e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\inhwoipfi.exe
      C:\Windows\System32\inhwoipfi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\userinit.exe
        userinit.exe
        3⤵
        • Loads dropped DLL
        PID:4480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240562234_lang.dll
    Filesize

    114KB

    MD5

    7ebc1ba26892a0464b3d65fecac07ffc

    SHA1

    e120b6b7b6e86d00149f45b0cc4b68cffaf56916

    SHA256

    8c404e23655f5e1e607ed413e1b1963c257e4a18f05793de790b6b98fc026ab2

    SHA512

    b1652468e5fd94414a1fa586fb304c8c68194f860292e5ab0aba0998cd6d2c62c4e500813a027c6418f65ecf7278080ba7079d1495e230507b6a4383f376025e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\240562234_lang.dll
    Filesize

    114KB

    MD5

    7ebc1ba26892a0464b3d65fecac07ffc

    SHA1

    e120b6b7b6e86d00149f45b0cc4b68cffaf56916

    SHA256

    8c404e23655f5e1e607ed413e1b1963c257e4a18f05793de790b6b98fc026ab2

    SHA512

    b1652468e5fd94414a1fa586fb304c8c68194f860292e5ab0aba0998cd6d2c62c4e500813a027c6418f65ecf7278080ba7079d1495e230507b6a4383f376025e

    Download Submit

  • C:\Windows\SysWOW64\inhwoipfi.exe
    Filesize

    156KB

    MD5

    e32719f4de53205a9270e093632b182a

    SHA1

    badf366cc7eab58a0e4f1af794a4c7fc2070da3f

    SHA256

    548e92107c0e2aebda9b2f48fb871b00c11a06757801455d76058c252d7ff847

    SHA512

    0703d3fa37c351981d3ecb6151f9df20aa3b26fab87df7418b239ae280bb6b20175c9283cc68f62717aaee8e197e8ca52356a49e578f451b568ccfd95676aeda

    Download Submit

  • C:\Windows\SysWOW64\inhwoipfi.exe
    Filesize

    156KB

    MD5

    e32719f4de53205a9270e093632b182a

    SHA1

    badf366cc7eab58a0e4f1af794a4c7fc2070da3f

    SHA256

    548e92107c0e2aebda9b2f48fb871b00c11a06757801455d76058c252d7ff847

    SHA512

    0703d3fa37c351981d3ecb6151f9df20aa3b26fab87df7418b239ae280bb6b20175c9283cc68f62717aaee8e197e8ca52356a49e578f451b568ccfd95676aeda

    Download Submit