Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2023, 17:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
qpr.exe
Resource
win7-20230712-en
5 signatures
150 seconds
General
-
Target
qpr.exe
-
Size
30KB
-
MD5
1908c7682637a1cb64030ff57ad27efd
-
SHA1
92146ad99ccdd943fd995c6a904ec523565a8653
-
SHA256
46f3efb05e06e17600eea65c49c8700d5eb74ebb8611aa69981c413eb2e0c69a
-
SHA512
f5ee6d7c14ac5ddbd37adcf9e7a1a1c85181513d8401ef87bbd4903d6b799a6b8f9d0b757904d6cc1e8e6aefebceee7c8c3dad089a4b7c90604380808df2e989
-
SSDEEP
768:DOu2N1RVWBQOAnbAYOwWxf3mOIW/b2Jbex787GR:alvEOI5QWiJbe5nR
Malware Config
Extracted
Family
gh0strat
C2
154.39.248.196
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/2804-134-0x00000000038F0000-0x00000000039F0000-memory.dmp family_gh0strat behavioral2/memory/2804-135-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral2/memory/2804-139-0x00000000038F0000-0x00000000039F0000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: qpr.exe File opened (read-only) \??\P: qpr.exe File opened (read-only) \??\Q: qpr.exe File opened (read-only) \??\Z: qpr.exe File opened (read-only) \??\J: qpr.exe File opened (read-only) \??\L: qpr.exe File opened (read-only) \??\M: qpr.exe File opened (read-only) \??\R: qpr.exe File opened (read-only) \??\S: qpr.exe File opened (read-only) \??\T: qpr.exe File opened (read-only) \??\Y: qpr.exe File opened (read-only) \??\W: qpr.exe File opened (read-only) \??\E: qpr.exe File opened (read-only) \??\G: qpr.exe File opened (read-only) \??\H: qpr.exe File opened (read-only) \??\K: qpr.exe File opened (read-only) \??\O: qpr.exe File opened (read-only) \??\U: qpr.exe File opened (read-only) \??\V: qpr.exe File opened (read-only) \??\X: qpr.exe File opened (read-only) \??\I: qpr.exe File opened (read-only) \??\N: qpr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qpr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz qpr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2804 qpr.exe 2804 qpr.exe