Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 15:54
Behavioral task
behavioral1
Sample
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Resource
win10v2004-20220812-en
General
-
Target
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
-
Size
156KB
-
MD5
1710258343ac8af4dae7b976125f119f
-
SHA1
c69a8f32b03fb5630ba33be642fcff4a756f8cec
-
SHA256
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf
-
SHA512
51bf5c9c4f797b755b7e080a31eecdbd74f352472a362a8133d584f6de569ecce11b764d46f8176162c49ee181820a1ba44005149dbe1a80684fb89e3f1db0c9
-
SSDEEP
3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05K3i+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05K3DIk
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral1/files/0x0008000000005c51-55.dat family_gh0strat behavioral1/files/0x0008000000005c51-57.dat family_gh0strat behavioral1/files/0x0008000000005c51-60.dat family_gh0strat behavioral1/files/0x0008000000005c51-61.dat family_gh0strat behavioral1/files/0x0008000000005c51-59.dat family_gh0strat behavioral1/files/0x0008000000005c51-62.dat family_gh0strat behavioral1/files/0x0007000000014219-65.dat family_gh0strat behavioral1/files/0x0007000000014219-66.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 840 inatwyxqd.exe -
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt} e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}\ = "ϵͳÉèÖÃ" e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}\stubpath = "C:\\Windows\\System32\\inatwyxqd.exe" e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe -
Loads dropped DLL 5 IoCs
pid Process 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 840 inatwyxqd.exe 840 inatwyxqd.exe 840 inatwyxqd.exe 268 userinit.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\inatwyxqd.exe_lang.ini e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe File created C:\Windows\SysWOW64\inatwyxqd.exe e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe File created C:\Windows\SysWOW64\inatwyxqd.exe_lang.ini e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 840 inatwyxqd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Token: SeDebugPrivilege 840 inatwyxqd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 1252 wrote to memory of 840 1252 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 27 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28 PID 840 wrote to memory of 268 840 inatwyxqd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\System32\inatwyxqd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\userinit.exeuserinit.exe3⤵
- Loads dropped DLL
PID:268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD514a6735ae8eaf17c6f65d4097047aeda
SHA122d735ea40c7f91568ef180c0175eac249b11606
SHA2567865fd60ab475de06cfcbe1bb9debfc34cfa67a55cf0591e323bd10776328505
SHA512734e12040cb34731a3de27c57d396d9dab14c7cbc9cbca95f8afd3348ee6d889a69f6bbf17963e21df21f99277b11da23c8a66566d4c3e3c05444e22826bf4c9
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a
-
Filesize
114KB
MD514a6735ae8eaf17c6f65d4097047aeda
SHA122d735ea40c7f91568ef180c0175eac249b11606
SHA2567865fd60ab475de06cfcbe1bb9debfc34cfa67a55cf0591e323bd10776328505
SHA512734e12040cb34731a3de27c57d396d9dab14c7cbc9cbca95f8afd3348ee6d889a69f6bbf17963e21df21f99277b11da23c8a66566d4c3e3c05444e22826bf4c9
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a
-
Filesize
156KB
MD5c4f78d1a08f9d3007d5b5bfb9df116bc
SHA139dae566d50ffd72b3c68ce097d1b7f1456faa7a
SHA25672f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435
SHA5125aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a