Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

ee7be187dc...49.exe

windows7-x64

10

ee7be187dc...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    253s
  • max time network
    332s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 09:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe

  • Size

    314KB

  • MD5

    5bfa187dbe621f731af5010e9c7b409b

  • SHA1

    966fa6d9fe876fb691560c78761978cd5b01f80c

  • SHA256

    ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49

  • SHA512

    c992d2e0ed5d859a6fec9d532d2ae9d862479889d1c6df093c29dd7ee0eff3d5cea379a8af9907b61fb99b215ceebe8e0e4a1f1f07324fbaca4083b929210485

  • SSDEEP

    6144:QGzRxSVtp0l6whGfsKR+zkBpTaa5tJHXH:jt0VPFfsKAkrbPlXH

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe
    "C:\Users\Admin\AppData\Local\Temp\ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1512
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:832

Network

  • flag-unknown
    DNS
    haidishijie.3322.org
    ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe
    Remote address:
    8.8.8.8:53
    Request
    haidishijie.3322.org
    IN A
    Response
    haidishijie.3322.org
    IN A
    183.236.2.18
  • 183.236.2.18:8888
    haidishijie.3322.org
    ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe
    152 B
     80 B
     3
    2
  • 8.8.8.8:53
    haidishijie.3322.org
    dns
    ee7be187dcb327062f9a234946d0a13aede4efb1e3ea35de9a030ca7d3065a49.exe
    66 B
     82 B
     1
    1

    DNS Request

    haidishijie.3322.org

    DNS Response

    183.236.2.18

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe
    Filesize

    314KB

    MD5

    ceb75c8624713e5773b422e03463c8db

    SHA1

    c705247e48f3cba2371cdcfd03f79a0d84b8b9e6

    SHA256

    e5ffe15d9da90ecbfe20ae4dbe68e8a16b42379f5cf77d77685354648ccb1cd8

    SHA512

    229504a3fcc071ea66dcec267524811ca907630a6b58d5d26c9cac3dc6100c4b7172b38ece38ba88fa067943c14996d4c60fbb617929463676aa3ccc62efe663

    Download Submit

  • memory/1512-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1512-55-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/1512-59-0x0000000002800000-0x00000000028F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/1512-60-0x0000000002800000-0x00000000028F1000-memory.dmp

    Filesize

    964KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.