Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

aae60b0734...f2.exe

windows7-x64

10

aae60b0734...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aae60b0734321c13187e07987ef2622892e819354e1eef478eb520166c4c01f2.exe

  • Size

    71KB

  • MD5

    1d8f6aec6bdc4f530c18ac667170f82c

  • SHA1

    627233894ce3c894283c61f1658944ea15c6a263

  • SHA256

    aae60b0734321c13187e07987ef2622892e819354e1eef478eb520166c4c01f2

  • SHA512

    dfc22d815bf3e2356f45855a627defc5c1b651c2e33666250f33e89f0b5445ab4c2ecd8776ce2726c042f37d2ad6a5bb30fc31bac5b1aa5333618eecc90ac159

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uiryS5e:+pZTvnyEZiGJ7/QguiryS5e

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aae60b0734321c13187e07987ef2622892e819354e1eef478eb520166c4c01f2.exe
    "C:\Users\Admin\AppData\Local\Temp\aae60b0734321c13187e07987ef2622892e819354e1eef478eb520166c4c01f2.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1340
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\730800.dll
    Filesize

    64KB

    MD5

    747cb6693b4395dfb17d801271273c83

    SHA1

    68aa34cc79dfccd8590b08eaaf9e44776420924d

    SHA256

    56a18a9d5c006a3ae78907faba4f7ff69c8249c99fa11bfd6646d1c85d537fd2

    SHA512

    3c8e408222bd7d8dfce02b9c6c9e99d677f507a6968865b23fe51680282809a431ec94635856d3d8e38783d70f0aaa15bb3d566d33d28cf40f944c833243e43a

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    116B

    MD5

    096f2fe2f5b458bdd5336df5fbea7463

    SHA1

    d08f164b4613d42d7bef18ab926fdcf32ec6cfe9

    SHA256

    78f9556d014d20ec2ee0b54a8a6f3e84f07bf6e5615ebbc176b21b56c1228e2b

    SHA512

    124a22c8d2a55bf563a3d33bd9ed86da022bea7e85db116f8f782b19a81a8d6a799d531b6f4036712b784add88561b1d5057a05cbfa8e17523c8f495b44546ae

    Download Submit

  • \??\c:\program files (x86)\xtxq\xcqpsdkvg.jpg
    Filesize

    7.6MB

    MD5

    06892238f5c18acfa53efc8c525d3765

    SHA1

    6a1529ca1cdefab5258658e27c75066f14814387

    SHA256

    21f6b0cd7ab9b49d5f18b8c3c7e53ec04548adb1d6730c4d751a6c7afef8ad30

    SHA512

    b1809f54f39806a4a7d3cde98b436005fd07f48c33f8dd8b482a46db5cfb9af9d585b98038096cff314daabd6969230f8c94f1120a6219caedc54f40b8cc36c1

    Download Submit

  • \Program Files (x86)\Xtxq\Xcqpsdkvg.jpg
    Filesize

    7.6MB

    MD5

    06892238f5c18acfa53efc8c525d3765

    SHA1

    6a1529ca1cdefab5258658e27c75066f14814387

    SHA256

    21f6b0cd7ab9b49d5f18b8c3c7e53ec04548adb1d6730c4d751a6c7afef8ad30

    SHA512

    b1809f54f39806a4a7d3cde98b436005fd07f48c33f8dd8b482a46db5cfb9af9d585b98038096cff314daabd6969230f8c94f1120a6219caedc54f40b8cc36c1

    Download Submit

  • memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

    Filesize

    8KB

    Download