Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    174s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 14:55

General

  • Target

    1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe

  • Size

    204KB

  • MD5

    3cc5633a1c10621a9f34cae49cee1d48

  • SHA1

    f20a294698f474d3c1f86a1a8738ca38af7cf7e7

  • SHA256

    1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec

  • SHA512

    bf3246c24e67a0ee407794069585993a44add2376d1ba81fac4c8aac716739d733fceb91c551b5b43de74fc0cc59c7ece54c6125c109a17c303deacce37b3610

  • SSDEEP

    3072:ArBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:8uAh/WHv9DNYtEHhvF3TBlEnob/

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
    "C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
        3⤵
          PID:4820
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1452
          3⤵
          • Program crash
          PID:1680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2736 -ip 2736
      1⤵
        PID:2348

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        15.2MB

        MD5

        ce470b3a02f89d43e1f765e5d59226a8

        SHA1

        4d0d91ab311eb8602a967c03b9e501894364052c

        SHA256

        6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

        SHA512

        5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        15.2MB

        MD5

        ce470b3a02f89d43e1f765e5d59226a8

        SHA1

        4d0d91ab311eb8602a967c03b9e501894364052c

        SHA256

        6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

        SHA512

        5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

      • C:\Windows\Sys.VBS

        Filesize

        1KB

        MD5

        e5baac34de9a9068a0c901392f21efe5

        SHA1

        77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

        SHA256

        7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

        SHA512

        dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

      • C:\Windows\SysWOW64\yjsoft.ini

        Filesize

        152KB

        MD5

        60c9e406f6ad0ba9104a236786a02e8f

        SHA1

        110375bd7de771f8b2d793c9f431e8b2b9fa22d9

        SHA256

        1f14d1da060723cd994d1ddc8d8d714331625a55ba0e13acb2621712b97c353b

        SHA512

        517a580a6cee7cee0238814cf5a22f2c2b7a4123dc3d2dea82f4e3884b7a8ad90e45f6bdf31b60b080482632f3ed9db3103d7928325e3f0b25dc0327e3c9e7d7

      • memory/2736-138-0x0000000020000000-0x0000000020027000-memory.dmp

        Filesize

        156KB

      • memory/2736-139-0x0000000020000000-0x0000000020027000-memory.dmp

        Filesize

        156KB