Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    158s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 15:29

General

  • Target

    3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe

  • Size

    280KB

  • MD5

    a4e5787613503c79d51ccd921ef47fa4

  • SHA1

    f3a3b5a54aa6243bf7cf518daecbc1662c355cdf

  • SHA256

    3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2

  • SHA512

    15ef18c7c324451ed24b6f0d3dcb7d3c41019471a04c1d16577f80d41869f78173d70879b537a646f49b0b49adbbda8e0b46e5a7a1a49fda0d32f641ae9bd193

  • SSDEEP

    6144:VR2zrtk4tfVryzVnnmt/cIl9qswB9bJ6dWbnziPcE1kQnd9frAALaFlez:Ontk45oJmt/cI6sAN0WC0zQndFrLky

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe
    "C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Users\Admin\AppData\Local\Temp\rtad.exe
      "C:\Users\Admin\AppData\Local\Temp\rtad.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:3164
    • C:\Users\Admin\AppData\Local\Temp\BaiBi.exe
      "C:\Users\Admin\AppData\Local\Temp\BaiBi.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\Temp\Thunder.exe
        "C:\Users\Admin\AppData\Local\Temp\Thunder.exe"
        3⤵
        • Executes dropped EXE
        • Sets DLL path for service in the registry
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k nT1V9BbI
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\kcmlve.pic,main nT1V9BbI
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 508
      2⤵
      • Program crash
      PID:1664
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4296 -ip 4296
    1⤵
      PID:3548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BaiBi.exe

      Filesize

      218KB

      MD5

      4eb9c6c640cbb8c0bab63577a3e973b8

      SHA1

      9b567e2048880c09a71cf04e07c875f7a8fa59f9

      SHA256

      ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099

      SHA512

      eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925

    • C:\Users\Admin\AppData\Local\Temp\BaiBi.exe

      Filesize

      218KB

      MD5

      4eb9c6c640cbb8c0bab63577a3e973b8

      SHA1

      9b567e2048880c09a71cf04e07c875f7a8fa59f9

      SHA256

      ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099

      SHA512

      eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925

    • C:\Users\Admin\AppData\Local\Temp\Thunder.exe

      Filesize

      5.1MB

      MD5

      a3d802c99ceaa1128c90c8e95ad5c5f7

      SHA1

      fc89e9caa359932c1619f85f41b7173ce40f97a1

      SHA256

      c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4

      SHA512

      dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3

    • C:\Users\Admin\AppData\Local\Temp\Thunder.exe

      Filesize

      5.1MB

      MD5

      a3d802c99ceaa1128c90c8e95ad5c5f7

      SHA1

      fc89e9caa359932c1619f85f41b7173ce40f97a1

      SHA256

      c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4

      SHA512

      dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3

    • C:\Users\Admin\AppData\Local\Temp\rtad.exe

      Filesize

      62KB

      MD5

      950219f287ae876fbfdcc931b103dfe9

      SHA1

      65715d90dc12e821e7bf435280bcc0456558b2e9

      SHA256

      ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc

      SHA512

      32c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29

    • C:\Users\Admin\AppData\Local\Temp\rtad.exe

      Filesize

      62KB

      MD5

      950219f287ae876fbfdcc931b103dfe9

      SHA1

      65715d90dc12e821e7bf435280bcc0456558b2e9

      SHA256

      ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc

      SHA512

      32c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29

    • C:\Windows\SysWOW64\KcmlvE.pic

      Filesize

      55.1MB

      MD5

      cb2e01fdda21071c7aa7c82b61574932

      SHA1

      9d39318764d9e99edb5ae3c154bd33eec9f0be71

      SHA256

      3d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd

      SHA512

      614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a

    • C:\Windows\SysWOW64\KcmlvE.pic

      Filesize

      55.1MB

      MD5

      cb2e01fdda21071c7aa7c82b61574932

      SHA1

      9d39318764d9e99edb5ae3c154bd33eec9f0be71

      SHA256

      3d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd

      SHA512

      614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a

    • \??\c:\windows\SysWOW64\kcmlve.pic

      Filesize

      55.1MB

      MD5

      cb2e01fdda21071c7aa7c82b61574932

      SHA1

      9d39318764d9e99edb5ae3c154bd33eec9f0be71

      SHA256

      3d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd

      SHA512

      614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a