Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
21/09/2023, 00:43
General
-
Target
9d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2.exe
-
Size
1.0MB
-
MD5
2e7b56329ff02982ce0ed6cc645a22e7
-
SHA1
c04483bf2fe79280b7062198a0ab42e0cb3bccbc
-
SHA256
9d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2
-
SHA512
e9f24c855a5140085f2863735f0d867be1167cea7573963480478c62220dc8ed8940ea915d47e9814f4de1e80a1e28161169a84dc1d7ab47f28aae98bae8d45e
-
SSDEEP
12288:R1ec/eFqGZyUgCraUIk2yFqR+lIaaiEOqN/L0FgEhBCpJJNn8/MPr4OsnM:be7qGEUgCPr24qR+aaHEx/wFvUPEOs
Malware Config
Extracted
gh0strat
47.97.163.157
Signatures
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2.exe"C:\Users\Admin\AppData\Local\Temp\9d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\·ÀºÚÆÁ2.exeC:\Users\Admin\AppData\Local\Temp\·ÀºÚÆÁ2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /tn "ShowsWin" /tr C:\Windows\ShowsWinse.exe /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\ShowsWinse.exeC:\Windows\ShowsWinse.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\·ÀºÚÆÁ2.exeC:\Windows\·ÀºÚÆÁ2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /tn "ShowsWin" /tr C:\Windows\ShowsWinse.exe /f2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
780KB
MD552b8ff9e93b3ed7d23f1be5737fe9fd6
SHA19dc246cbba5e4e103cbab5642f9bc00375aa01e8
SHA2569fac08b760dbd1ba11421fd0a1f3c4297527752dd31c38f2d16098420a5d8342
SHA5122ebf43f646968a9d9a68a996f2f5522a14b8a04fe732bc3718744d929ee3e53eb367d3ea0521fa29b4b091243cd6ce17a66875cc09a91cd570ed48403b2c995f
-
Filesize
780KB
MD552b8ff9e93b3ed7d23f1be5737fe9fd6
SHA19dc246cbba5e4e103cbab5642f9bc00375aa01e8
SHA2569fac08b760dbd1ba11421fd0a1f3c4297527752dd31c38f2d16098420a5d8342
SHA5122ebf43f646968a9d9a68a996f2f5522a14b8a04fe732bc3718744d929ee3e53eb367d3ea0521fa29b4b091243cd6ce17a66875cc09a91cd570ed48403b2c995f
-
Filesize
1.0MB
MD52e7b56329ff02982ce0ed6cc645a22e7
SHA1c04483bf2fe79280b7062198a0ab42e0cb3bccbc
SHA2569d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2
SHA512e9f24c855a5140085f2863735f0d867be1167cea7573963480478c62220dc8ed8940ea915d47e9814f4de1e80a1e28161169a84dc1d7ab47f28aae98bae8d45e
-
Filesize
1.0MB
MD52e7b56329ff02982ce0ed6cc645a22e7
SHA1c04483bf2fe79280b7062198a0ab42e0cb3bccbc
SHA2569d62aa6094a6e093b4442cf900b115df53ee0970fc5867c416096483fc7232a2
SHA512e9f24c855a5140085f2863735f0d867be1167cea7573963480478c62220dc8ed8940ea915d47e9814f4de1e80a1e28161169a84dc1d7ab47f28aae98bae8d45e
-
Filesize
780KB
MD552b8ff9e93b3ed7d23f1be5737fe9fd6
SHA19dc246cbba5e4e103cbab5642f9bc00375aa01e8
SHA2569fac08b760dbd1ba11421fd0a1f3c4297527752dd31c38f2d16098420a5d8342
SHA5122ebf43f646968a9d9a68a996f2f5522a14b8a04fe732bc3718744d929ee3e53eb367d3ea0521fa29b4b091243cd6ce17a66875cc09a91cd570ed48403b2c995f
-
Filesize
780KB
MD552b8ff9e93b3ed7d23f1be5737fe9fd6
SHA19dc246cbba5e4e103cbab5642f9bc00375aa01e8
SHA2569fac08b760dbd1ba11421fd0a1f3c4297527752dd31c38f2d16098420a5d8342
SHA5122ebf43f646968a9d9a68a996f2f5522a14b8a04fe732bc3718744d929ee3e53eb367d3ea0521fa29b4b091243cd6ce17a66875cc09a91cd570ed48403b2c995f
-
Filesize
116KB