Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 11:01
Behavioral task
behavioral1
Sample
97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
Resource
win10v2004-20220812-en
General
-
Target
97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
-
Size
571KB
-
MD5
11c24b76d0a15256a8fb81f838c4a060
-
SHA1
edc4a4c15f7aec56ea418a6a0d3b447fc7a63977
-
SHA256
97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a
-
SHA512
d8d164c21b824742ca11ad17884a11d31a668b415a16719e2c16caa3849cca9cd0c66a7dca268c6ef7466c9f6a9cd00a7d888845713c6735210fda1d4852e1c3
-
SSDEEP
6144:LGzRxSVtp0l6whGfsKR+zkBpTaa5tJH3qJH3Y:6t0VPFfsKAkrbPlalI
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/940-59-0x0000000000400000-0x00000000004F0000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 940 (null)0.exe -
resource yara_rule behavioral1/memory/1592-55-0x0000000000400000-0x00000000004F0000-memory.dmp upx behavioral1/files/0x000a0000000122be-57.dat upx behavioral1/memory/940-59-0x0000000000400000-0x00000000004F0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe" 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\Windows\(null)0.exe 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe File created \??\c:\Windows\BJ.exe 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe File opened for modification \??\c:\Windows\BJ.exe 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1592 wrote to memory of 940 1592 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe 27 PID 1592 wrote to memory of 940 1592 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe 27 PID 1592 wrote to memory of 940 1592 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe 27 PID 1592 wrote to memory of 940 1592 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe"C:\Users\Admin\AppData\Local\Temp\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\Windows\(null)0.exec:\Windows\(null)0.exe2⤵
- Executes dropped EXE
PID:940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD595ce6724cd8fc022f7714c63503e55ff
SHA129fa92d1ae08b825f0bd959455346d36199a015f
SHA25616e4e5bfa9c25f5c02fcc840c76a58d05bd4becec57887efdb5f4b87fa5990e8
SHA512fcd6fae7d6a7fe6146f7a5f84a849b31bdca961c12cf57a6089739ab5642253c5b3a9001579fd7e89f5feb9e7f78cb100a3cd8eead2c164e73e9f13c06f24445