Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
04/12/2022, 00:50
General
-
Target
c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe
-
Size
1.6MB
-
MD5
47265030482ff347272cdf09aef25e8d
-
SHA1
2ae7ac78dc11f0374389f1f15031a1a1a4d30b70
-
SHA256
c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9
-
SHA512
35c09678bde4841c3bc0432229c6b84bd4ca39c963290cfcc7d25bb6b10002346e0dc798c684bf9d3ab95b4e286f5366430758733ee2f33eb8610e9773e78b0e
-
SSDEEP
24576:U61I7CpxnYP1uyFQ3OfzYSu2+PVAJeA4Qsi84XVKCuVSs1DKNbGvFic2Y+O:D+7vdNwERuDrZQsN4YpSKWG9ic2Yl
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe"C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe"C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9ͨÓð棨֧³Ö˽·þ£©.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.5203y.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\dedcisjxuu"C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD554b5926b964e7280448dff92eff7fd38
SHA1d9fa67ffe3e33a530a929368bcec80212d57477e
SHA256375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95
SHA512b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2
-
Filesize
904KB
MD599ea9f16c4f432f12d23ac1f50f05fbc
SHA1660bda601a4f6c078d47ffdc91bba3a6875dda0f
SHA256b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4
SHA512783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985
-
Filesize
23.7MB
MD58a41d175a2a6473bce239e518a584983
SHA1e686ddb39c29462c7ea9da086a66f835a812563e
SHA256946f824b3296b0fc7a1905050c1352a1d0769d59de565a8736b30eb2b08177ff
SHA512819028c229e5ac3d7da769b79b30f43abb5561fa0e1d58a88e408d005c26cfdbb27ff2565536b9f209eeb8c718388378041c778f02d68b3b904129c25d6f2c1d
-
Filesize
603B
MD57a3cb5165a7a60ae911779b5348c464b
SHA10f54e5e48ac96044f8ad090838c330e6ab9c78b1
SHA25638929a2ec2fe71a2bd9e8e8f9bf8520e2466c8f9d6d890297ef7e1b1a307102c
SHA512eb04c9eb61c98860ab706f1f4e19c1bed3cbca5e0050d4549baee2e7cc2e1a047c417e8107b9b76919cdc5cae232e8e2d5d0e874374f81d0532b7060852954b7
-
Filesize
196KB
MD554b5926b964e7280448dff92eff7fd38
SHA1d9fa67ffe3e33a530a929368bcec80212d57477e
SHA256375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95
SHA512b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2
-
Filesize
196KB
MD554b5926b964e7280448dff92eff7fd38
SHA1d9fa67ffe3e33a530a929368bcec80212d57477e
SHA256375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95
SHA512b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2
-
Filesize
196KB
MD554b5926b964e7280448dff92eff7fd38
SHA1d9fa67ffe3e33a530a929368bcec80212d57477e
SHA256375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95
SHA512b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2
-
Filesize
904KB
MD599ea9f16c4f432f12d23ac1f50f05fbc
SHA1660bda601a4f6c078d47ffdc91bba3a6875dda0f
SHA256b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4
SHA512783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985
-
Filesize
904KB
MD599ea9f16c4f432f12d23ac1f50f05fbc
SHA1660bda601a4f6c078d47ffdc91bba3a6875dda0f
SHA256b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4
SHA512783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985
-
Filesize
23.7MB
MD58a41d175a2a6473bce239e518a584983
SHA1e686ddb39c29462c7ea9da086a66f835a812563e
SHA256946f824b3296b0fc7a1905050c1352a1d0769d59de565a8736b30eb2b08177ff
SHA512819028c229e5ac3d7da769b79b30f43abb5561fa0e1d58a88e408d005c26cfdbb27ff2565536b9f209eeb8c718388378041c778f02d68b3b904129c25d6f2c1d
-
Filesize
8KB
-
Filesize
202KB
-
Filesize
202KB
-
Filesize
202KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
202KB