Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f25d5aaf5d...29.exe

windows7-x64

10

f25d5aaf5d...29.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    158s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f25d5aaf5db75844d979878065bf9459e457b19a57b31a97ff653e07fc637b29.exe

  • Size

    183KB

  • MD5

    f655dcae34c54f1d9fdd88ec300eddcc

  • SHA1

    b2fe35cfd45f06862a69877d2c1c932194ad3958

  • SHA256

    f25d5aaf5db75844d979878065bf9459e457b19a57b31a97ff653e07fc637b29

  • SHA512

    84a9be89c9404e0eb3a30b640252526858f4693f56ca6c25129e50da27e2fd98ad77257fb2f6854d6ae850a8821c75bdabd7af609a02d19cd64f311855ea7da1

  • SSDEEP

    3072:bMqKbTtCSIT0chwzzcdZKF8UvvoeWofjjpAVioRF8s//NLj6h+EvtR9:o9MMmwzlqUHoeWofjjpAViY/lH6h+Ev9

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f25d5aaf5db75844d979878065bf9459e457b19a57b31a97ff653e07fc637b29.exe
    "C:\Users\Admin\AppData\Local\Temp\f25d5aaf5db75844d979878065bf9459e457b19a57b31a97ff653e07fc637b29.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\XXXXXXAC994E22\JH.BAT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn * /f
        3⤵
          PID:676
        • C:\Windows\SysWOW64\sc.exe
          sc config Schedule start= auto
          3⤵
          • Launches sc.exe
          PID:976
        • C:\Windows\SysWOW64\net.exe
          net start "Task Scheduler"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start "Task Scheduler"
            4⤵
              PID:1932
          • C:\Windows\SysWOW64\at.exe
            At 0:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
            3⤵
              PID:892
            • C:\Windows\SysWOW64\at.exe
              At 1:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
              3⤵
                PID:628
              • C:\Windows\SysWOW64\at.exe
                At 2:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                3⤵
                  PID:1148
                • C:\Windows\SysWOW64\at.exe
                  At 3:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                  3⤵
                    PID:692
                  • C:\Windows\SysWOW64\at.exe
                    At 4:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                    3⤵
                      PID:928
                    • C:\Windows\SysWOW64\at.exe
                      At 5:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                      3⤵
                        PID:1084
                      • C:\Windows\SysWOW64\at.exe
                        At 6:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                        3⤵
                          PID:1464
                        • C:\Windows\SysWOW64\at.exe
                          At 7:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                          3⤵
                            PID:1060
                          • C:\Windows\SysWOW64\at.exe
                            At 8:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                            3⤵
                              PID:1224
                            • C:\Windows\SysWOW64\at.exe
                              At 9:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                              3⤵
                                PID:1720
                              • C:\Windows\SysWOW64\at.exe
                                At 10:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                                3⤵
                                  PID:1636
                                • C:\Windows\SysWOW64\at.exe
                                  At 11:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                                  3⤵
                                    PID:576
                                  • C:\Windows\SysWOW64\at.exe
                                    At 12:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                                    3⤵
                                      PID:772
                                    • C:\Windows\SysWOW64\at.exe
                                      At 13:00 C:\Windows\XXXXXXAC994E22\svchsot.exe
                                      3⤵
                                        PID:588

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\XXXXXXAC994E22\JH.BAT
                                    Filesize

                                    1KB

                                    MD5

                                    09f56ef791dec22839b2aae30a1a71f0

                                    SHA1

                                    34d232a67c48de2f67829af06e9074a44b5ef45c

                                    SHA256

                                    3ee3b25a494748e4e897ddab75c7b5f61ba71e7fbbaa3d11fc375c59fa4c4acd

                                    SHA512

                                    3b8e5f0b7d9239baa03b10204790ee97d7d27cb9b17d1b4089fa332f393b40d03915df6283cd394c97e1eda26282c497a9da4d8a931020000cdd15581bd4985e

                                    Download Submit

                                  • memory/1956-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1956-60-0x0000000010000000-0x0000000010121000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1956-57-0x0000000010000000-0x0000000010121000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1956-55-0x0000000010000000-0x0000000010121000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download