Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 14:55
Behavioral task
behavioral1
Sample
1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
Resource
win7-20220901-en
General
-
Target
1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
-
Size
204KB
-
MD5
3cc5633a1c10621a9f34cae49cee1d48
-
SHA1
f20a294698f474d3c1f86a1a8738ca38af7cf7e7
-
SHA256
1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec
-
SHA512
bf3246c24e67a0ee407794069585993a44add2376d1ba81fac4c8aac716739d733fceb91c551b5b43de74fc0cc59c7ece54c6125c109a17c303deacce37b3610
-
SSDEEP
3072:ArBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:8uAh/WHv9DNYtEHhvF3TBlEnob/
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x0006000000022e63-133.dat family_gh0strat behavioral2/files/0x0006000000022e63-134.dat family_gh0strat behavioral2/files/0x0006000000022e68-137.dat family_gh0strat behavioral2/memory/2736-138-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/2736-139-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2736 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2736 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\yjsoft.ini svchost.exe File opened for modification C:\Windows\SysWOW64\yjsoft.ini svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\alg.exe svchost.exe File opened for modification C:\windows\alg.exe svchost.exe File created C:\Windows\Sys.VBS svchost.exe File created C:\WINDOWS\FF13.exe svchost.exe File created C:\WINDOWS\FF12.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1680 2736 WerFault.exe 78 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2736 svchost.exe 2736 svchost.exe 2736 svchost.exe 2736 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2736 svchost.exe Token: SeDebugPrivilege 2736 svchost.exe Token: SeBackupPrivilege 2736 svchost.exe Token: SeRestorePrivilege 2736 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3792 wrote to memory of 2736 3792 1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe 78 PID 3792 wrote to memory of 2736 3792 1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe 78 PID 3792 wrote to memory of 2736 3792 1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe 78 PID 2736 wrote to memory of 4820 2736 svchost.exe 81 PID 2736 wrote to memory of 4820 2736 svchost.exe 81 PID 2736 wrote to memory of 4820 2736 svchost.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe"C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"3⤵PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 14523⤵
- Program crash
PID:1680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2736 -ip 27361⤵PID:2348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.2MB
MD5ce470b3a02f89d43e1f765e5d59226a8
SHA14d0d91ab311eb8602a967c03b9e501894364052c
SHA2566ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63
SHA5125a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6
-
Filesize
15.2MB
MD5ce470b3a02f89d43e1f765e5d59226a8
SHA14d0d91ab311eb8602a967c03b9e501894364052c
SHA2566ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63
SHA5125a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6
-
Filesize
1KB
MD5e5baac34de9a9068a0c901392f21efe5
SHA177f9cb2be96bfbf4e0eefb27b759faeb13b50b29
SHA2567fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9
SHA512dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374
-
Filesize
152KB
MD560c9e406f6ad0ba9104a236786a02e8f
SHA1110375bd7de771f8b2d793c9f431e8b2b9fa22d9
SHA2561f14d1da060723cd994d1ddc8d8d714331625a55ba0e13acb2621712b97c353b
SHA512517a580a6cee7cee0238814cf5a22f2c2b7a4123dc3d2dea82f4e3884b7a8ad90e45f6bdf31b60b080482632f3ed9db3103d7928325e3f0b25dc0327e3c9e7d7