Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2023, 12:03

General

  • Target

    招聘8000~10000急招!.exe

  • Size

    3.4MB

  • MD5

    15657565db569d1aa879e194dc00de93

  • SHA1

    9014d598e0e2d6567bb33e8cd23b9cdcf520ed35

  • SHA256

    689a0efe9b555bb7af55921445265076008b6f5e400587b2d40268220bb6cef6

  • SHA512

    872f034932b16aa3e8d35ef383906da497927f7f873e6c0c6a7bb6404275ad685bacb931f406a149722d979794e7249d9d860cc2c09143fde654a4b5d8b3374f

  • SSDEEP

    49152:qsmmparkOxyvT+yzUJ6Ya+AvTLaa6n57WA8J5:3kxtx/aR65T8J5

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\招聘8000~10000急招!.exe
    "C:\Users\Admin\AppData\Local\Temp\招聘8000~10000急招!.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\windows\ClientDaemon.exe
      C:\windows\ClientDaemon.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\ClientDaemon.exe

    Filesize

    1.9MB

    MD5

    c654f1460f961fa85843230281fc0ab0

    SHA1

    a0068ba05dd836a0696b392ee1d6ab896c26e1e9

    SHA256

    10a4cef987f11011694bfb6362fe48c365826f913b172b3586faeb2f4f27ca17

    SHA512

    f7e122e9bfc4aa5f6c572e92fa685cc2e1b5b778c8bc1cc90f75b896677512a84369c04ebba40cc22cb04d4e76abbd44cc6a7ac2d07747f299f435bf32de5db4

  • C:\Windows\Temp\cb.txt

    Filesize

    1KB

    MD5

    b6faf82e2ce9e134094767b1139c8b5d

    SHA1

    e01b9fb3e69e30aead7d3feac448958d3acb9e72

    SHA256

    00cd51ef85bbb0056dc13f0ba573ed00297f032d021c0f84f4196c8f790001e0

    SHA512

    e0cef85cb4bd9c4a2d12bc960d4f6eb37aa256bcfa7a88544f9df712eb325198bb2f31695900443fb8e080c43dbcd743c42eaa8e3bed91b305cceb7309fd1685

  • C:\windows\nw_elf.dll

    Filesize

    8KB

    MD5

    810563e55316cf3e7a5fa3720d31b6a9

    SHA1

    dfd445ba9291f79edea6096b274af37b6f8d9cc0

    SHA256

    3081ed3c3c6b198dd1229206f183f25951d403e5231df8804cbf1a4cc2f0601c

    SHA512

    a56d9dac2b39f3f002ae57eba3fe256d165e72796d92a7164b36cf7b5a2b2f8e7198abf51847ae6266f1d541534ee068d01808eefe59008438f03b576aa1f2f7

  • memory/2440-62-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/2440-63-0x00000000003D0000-0x000000000041E000-memory.dmp

    Filesize

    312KB

  • memory/2440-64-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2440-68-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2440-69-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2440-72-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/2440-73-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB