Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

f2b8bd06ce...74.exe

windows7-x64

10

f2b8bd06ce...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2023, 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274.exe

  • Size

    356KB

  • MD5

    59b60bc722bfaa37c8984e4480f85ebe

  • SHA1

    89525a4d44251f01f9edbbb5c04a8d98ba162d63

  • SHA256

    f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274

  • SHA512

    e4527f3d959ad144224e5e4c6d16cc6b5dd20210d0e9d7aae3b65823e4c84c76642029f2a4d1891590bed27cc0ebfea09a3ca26ac9a1487fc5c91d34bb970672

  • SSDEEP

    6144:d+8GZSKnqykOol/TrY9bk+PUyIfsciElZw5au/q+v/M7iFAcGXqI:eSKn/mTM9g+sxfPiEz1oq+3M7gdGXqI

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274.exe
    "C:\Users\Admin\AppData\Local\Temp\f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:2376
  • C:\windows\Owocoe.com
    C:\windows\Owocoe.com -auto
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\windows\Owocoe.com
      C:\windows\Owocoe.com -acsi
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\OWOCOE.COM
    Filesize

    356KB

    MD5

    59b60bc722bfaa37c8984e4480f85ebe

    SHA1

    89525a4d44251f01f9edbbb5c04a8d98ba162d63

    SHA256

    f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274

    SHA512

    e4527f3d959ad144224e5e4c6d16cc6b5dd20210d0e9d7aae3b65823e4c84c76642029f2a4d1891590bed27cc0ebfea09a3ca26ac9a1487fc5c91d34bb970672

    Download Submit

  • C:\Windows\Owocoe.com
    Filesize

    356KB

    MD5

    59b60bc722bfaa37c8984e4480f85ebe

    SHA1

    89525a4d44251f01f9edbbb5c04a8d98ba162d63

    SHA256

    f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274

    SHA512

    e4527f3d959ad144224e5e4c6d16cc6b5dd20210d0e9d7aae3b65823e4c84c76642029f2a4d1891590bed27cc0ebfea09a3ca26ac9a1487fc5c91d34bb970672

    Download Submit

  • C:\Windows\Owocoe.com
    Filesize

    356KB

    MD5

    59b60bc722bfaa37c8984e4480f85ebe

    SHA1

    89525a4d44251f01f9edbbb5c04a8d98ba162d63

    SHA256

    f2b8bd06ce83ece8e1325c467b51ec43b8d72599fedb4d0386832888f70e1274

    SHA512

    e4527f3d959ad144224e5e4c6d16cc6b5dd20210d0e9d7aae3b65823e4c84c76642029f2a4d1891590bed27cc0ebfea09a3ca26ac9a1487fc5c91d34bb970672

    Download Submit

  • C:\Windows\SysWOW64\ini.ini
    Filesize

    19B

    MD5

    fe9af7587d65300338177538aa72f924

    SHA1

    c8ae231d3ae13f9db8b9f16e188e951e7cb76377

    SHA256

    556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

    SHA512

    3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

    Download Submit

  • C:\input.txt
    Filesize

    4B

    MD5

    ccf8111910291ba472b385e9c5f59099

    SHA1

    49c2ad0acc151a565bf00a30b012471a984c42b6

    SHA256

    214c993d16c6ca97becc711cae8eee69336bc377d097f225c72ae4fd01cbc018

    SHA512

    1575a0ae17202ba849478ffa2a97e69bd9612df9ef38f01bd96514442c399ee4d31151cb7197f891ded60f74c272ec9e5b0a3a63b7f020b79f37083d910f3a2b

    Download Submit

  • memory/1756-17-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1756-12-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1756-29-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2376-21-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2376-0-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2376-4-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2376-5-0x0000000010000000-0x0000000010038000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2876-27-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2876-33-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2876-35-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2876-37-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2876-40-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2876-47-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download