Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
29/11/2022, 15:29
General
-
Target
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe
-
Size
280KB
-
MD5
a4e5787613503c79d51ccd921ef47fa4
-
SHA1
f3a3b5a54aa6243bf7cf518daecbc1662c355cdf
-
SHA256
3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2
-
SHA512
15ef18c7c324451ed24b6f0d3dcb7d3c41019471a04c1d16577f80d41869f78173d70879b537a646f49b0b49adbbda8e0b46e5a7a1a49fda0d32f641ae9bd193
-
SSDEEP
6144:VR2zrtk4tfVryzVnnmt/cIl9qswB9bJ6dWbnziPcE1kQnd9frAALaFlez:Ontk45oJmt/cI6sAN0WC0zQndFrLky
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 3 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe"C:\Users\Admin\AppData\Local\Temp\3e1fd8fc235595bfcf42c47980616dc73b3e046cb8e47e1b518fcc79e34a7ba2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtad.exe"C:\Users\Admin\AppData\Local\Temp\rtad.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\BaiBi.exe"C:\Users\Admin\AppData\Local\Temp\BaiBi.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Thunder.exe"C:\Users\Admin\AppData\Local\Temp\Thunder.exe"3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k nT1V9BbI1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\kcmlve.pic,main nT1V9BbI2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 5082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4296 -ip 42961⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD54eb9c6c640cbb8c0bab63577a3e973b8
SHA19b567e2048880c09a71cf04e07c875f7a8fa59f9
SHA256ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099
SHA512eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925
-
Filesize
218KB
MD54eb9c6c640cbb8c0bab63577a3e973b8
SHA19b567e2048880c09a71cf04e07c875f7a8fa59f9
SHA256ab9026054b08e87a3c35e1524d9a74477906d077642a2122b5cac3c9f0172099
SHA512eeeeef74bc7d0d2d3bc3a0280ae4d3912d97c0a20a59341c6f15fcf543a5ec2a3350cc9f83e8aa5e0172caa20586c4ba9e541c56545206433ed35d46e2146925
-
Filesize
5.1MB
MD5a3d802c99ceaa1128c90c8e95ad5c5f7
SHA1fc89e9caa359932c1619f85f41b7173ce40f97a1
SHA256c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4
SHA512dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3
-
Filesize
5.1MB
MD5a3d802c99ceaa1128c90c8e95ad5c5f7
SHA1fc89e9caa359932c1619f85f41b7173ce40f97a1
SHA256c98c6221ceddff74f56bfe5aa13012477e255aec482542ea041e1278ccd852e4
SHA512dbacefbc6f4249f180a88a6f35e6dd3f11161be34a953a95d01241dc62eafa29399c89de0b93db9cccf667efc8077728d925a4fbc0be42f57de07774482685d3
-
Filesize
62KB
MD5950219f287ae876fbfdcc931b103dfe9
SHA165715d90dc12e821e7bf435280bcc0456558b2e9
SHA256ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc
SHA51232c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29
-
Filesize
62KB
MD5950219f287ae876fbfdcc931b103dfe9
SHA165715d90dc12e821e7bf435280bcc0456558b2e9
SHA256ddb824c8dba664ced8d1e085ad454d87cc0598df25cbf01d58c756ecadf921cc
SHA51232c16ac8eea0e56911f22bcfaf136def39fbf9724dc39d803702a47493a2273ed09f2cce029e3f1fc12d79309c208e81f8c93507af90e5f26cd1ce7d6bf76b29
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a
-
Filesize
55.1MB
MD5cb2e01fdda21071c7aa7c82b61574932
SHA19d39318764d9e99edb5ae3c154bd33eec9f0be71
SHA2563d10450b29c39a868564ae064c363130a0a3b307890a5e1e17e55c59fedaefdd
SHA512614c4496de0c9539ed3e82f94d8f917bea3935737ff2eadc9b252f1c58c6545e765c68c1b0344c322af63583ac49ca840037b7c325cd42fd2caf3f705f8a6b8a