Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e76c249262...b7.exe

windows7-x64

10

e76c249262...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2023, 05:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe

  • Size

    1.1MB

  • MD5

    81063a6ec8fc6b35a92d03c335b61cad

  • SHA1

    a7f5173a6c5774e5c4be66f6e5496aa86fc6ec87

  • SHA256

    e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7

  • SHA512

    62964c54bc063f8bc351f7372add1d8f7a2f38b49c6d4a6ce07739a634ae355c9a43dd43810271919dcbfa2f99964050784250108332d1b59595a597a54e55f5

  • SSDEEP

    24576:psRkWF5Vi5Fu5xfSejKWaxRc0Ou1R1DSR0EA1RIkE7cLyll5:yRk+5kwvQIu1R10A1ukEFV

Score
10/10
gh0stratratupx

Malware Config

Extracted

Family

gh0strat

C2

192.253.237.97

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
    "C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7mgr.exe
      C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7mgr.exe
      2⤵
      • Executes dropped EXE
      PID:3176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 264
        3⤵
        • Program crash
        PID:2344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3176 -ip 3176
    1⤵
      PID:1176

    Network

    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      1.202.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.202.248.87.in-addr.arpa
      IN PTR
      Response
      1.202.248.87.in-addr.arpa
      IN PTR
      https-87-248-202-1amsllnwnet
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       200 B
       5
      5
    • 192.253.237.97:8005
      e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7.exe
      260 B
       160 B
       5
      4
    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      205.47.74.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      205.47.74.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      1.202.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      1.202.248.87.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      18.173.189.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      18.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7mgr.exe
      Filesize

      105KB

      MD5

      dfb5daabb95dcfad1a5faf9ab1437076

      SHA1

      4a199569a9b52911bee7fb19ab80570cc5ff9ed1

      SHA256

      54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

      SHA512

      5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e76c24926275e4aa90876c29d1ed64781146b2df00ffe660f3152da8c06c0cb7mgr.exe
      Filesize

      105KB

      MD5

      dfb5daabb95dcfad1a5faf9ab1437076

      SHA1

      4a199569a9b52911bee7fb19ab80570cc5ff9ed1

      SHA256

      54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

      SHA512

      5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

      Download Submit

    • memory/3176-13089-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3176-13088-0x00000000004A0000-0x00000000004A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3176-13086-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/4672-13070-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13078-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13072-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13074-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13075-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13076-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13077-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13071-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13079-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4672-0-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-13069-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4672-5884-0x0000000074E00000-0x0000000074E7A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4672-3875-0x0000000075CB0000-0x0000000075E50000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4672-1-0x0000000076460000-0x0000000076675000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4672-13090-0x0000000000400000-0x000000000056B000-memory.dmp

      Filesize

      1.4MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.