Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2022, 11:31
Behavioral task
behavioral1
Sample
ba5396e15e896c12f5b948b4ab134e44.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ba5396e15e896c12f5b948b4ab134e44.exe
Resource
win10v2004-20220901-en
General
-
Target
ba5396e15e896c12f5b948b4ab134e44.exe
-
Size
91KB
-
MD5
ba5396e15e896c12f5b948b4ab134e44
-
SHA1
ad091a08da28014d915f0ba4dee83598d04eddaf
-
SHA256
29bdf30d0b641a2fb9abc5dc9b5544e39cb91c9e2deb927b45679010198c765f
-
SHA512
7a5ddd3e3459745c301723c8516fe09806a18c5e57c99eba068dade72e0e7da0fef4423120fe84106390b7cf426ad56ccedb26f05430f3d6c25560dd42b5ab4e
-
SSDEEP
1536:9Jvpm0PGt6rj5w0OqcocxrD5n6eDwDueLic+8ifnIcQ63xF+0j11BrM:XvpmuGt6rj5w0Oqcoc+ekDVLi580nIco
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/memory/1528-132-0x0000000000400000-0x0000000000419000-memory.dmp family_gh0strat behavioral2/files/0x0003000000000721-133.dat family_gh0strat behavioral2/memory/1528-134-0x0000000000400000-0x0000000000419000-memory.dmp family_gh0strat behavioral2/files/0x0003000000000721-135.dat family_gh0strat behavioral2/memory/4924-136-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat behavioral2/memory/4924-137-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\pcguard.dll" ba5396e15e896c12f5b948b4ab134e44.exe -
Loads dropped DLL 1 IoCs
pid Process 4924 SVCHOST.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SVCHOST.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~mhz SVCHOST.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1528 ba5396e15e896c12f5b948b4ab134e44.exe 1528 ba5396e15e896c12f5b948b4ab134e44.exe 1528 ba5396e15e896c12f5b948b4ab134e44.exe 1528 ba5396e15e896c12f5b948b4ab134e44.exe 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE 4924 SVCHOST.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5396e15e896c12f5b948b4ab134e44.exe"C:\Users\Admin\AppData\Local\Temp\ba5396e15e896c12f5b948b4ab134e44.exe"1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
C:\Windows\SysWOW64\SVCHOST.EXEC:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD548aa18f2c741c9c81e99bf54525908b6
SHA1b6190fd0c7b39c2baf653ceeb1a314772ab0d101
SHA256551de1b9554f4a69459d036b91a5d206d2d4b7744285b124948ffe349093ec40
SHA51255c02c7746d4b96b71fe410ab9bd57f428c7ee27a1c47456c3e520d7e468c3240646785dcea65ee7b3e104133f303036f667728aa4289c89b065b0ae93e3530b
-
Filesize
72KB
MD548aa18f2c741c9c81e99bf54525908b6
SHA1b6190fd0c7b39c2baf653ceeb1a314772ab0d101
SHA256551de1b9554f4a69459d036b91a5d206d2d4b7744285b124948ffe349093ec40
SHA51255c02c7746d4b96b71fe410ab9bd57f428c7ee27a1c47456c3e520d7e468c3240646785dcea65ee7b3e104133f303036f667728aa4289c89b065b0ae93e3530b