Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 15:34
General
-
Target
e0876e96ff2cead5fb36f097f0312f809626287bda7809d9e741d869387cc618.exe
-
Size
2.1MB
-
MD5
6ff22367445fd5b83fd988006910967e
-
SHA1
fff398692fc7c2da091b506a42b12cae8dad5212
-
SHA256
e0876e96ff2cead5fb36f097f0312f809626287bda7809d9e741d869387cc618
-
SHA512
25581e2ed2eccc263e8266d1936ea4c6daa2ea69439ef66a2fcc4b3d4e83de8c904d34334444f26e52d936b44be25f5412c53059456a555cf3a6ac0f1cf53a04
-
SSDEEP
49152:tTYcTarVjQllcn9XdeUxIMTr+Emb9XK6adYKuuTkP8UL2Z5e/gPSsP7YU4:tGVjQllcn9X/xdmEmb9XK68uuTkP0e/o
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0876e96ff2cead5fb36f097f0312f809626287bda7809d9e741d869387cc618.exe"C:\Users\Admin\AppData\Local\Temp\e0876e96ff2cead5fb36f097f0312f809626287bda7809d9e741d869387cc618.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\LanecatTrial\MSIF1.exe"C:\Users\Public\LanecatTrial\MSIF1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD59007d611da15e2880500f4d32dce22b5
SHA136462ed68e1cc9be8e4caaab6af98f81ac1ac6e8
SHA256daa0d81956c390e8a7928da1fb6cd5832f4a5fb10709b2093cca1015ce035389
SHA512bcea1ff73980bd16b97427a1abcfc8cea1e4d1f1373f715a1968dc651c39944b132c4a280b8ae55b203d0f444decb756bad5a2535a857cd74f97729a3bca872f
-
Filesize
2.0MB
MD52ff236ca982bc4fdd29586ab77c49fdd
SHA1187b43ea891e01b6530d249b988c713d826c04e7
SHA2569064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3
SHA512c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d
-
Filesize
2.0MB
MD52ff236ca982bc4fdd29586ab77c49fdd
SHA1187b43ea891e01b6530d249b988c713d826c04e7
SHA2569064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3
SHA512c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d
-
Filesize
2.0MB
MD52ff236ca982bc4fdd29586ab77c49fdd
SHA1187b43ea891e01b6530d249b988c713d826c04e7
SHA2569064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3
SHA512c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
576KB
MD50c7e1f10b913905bee841b78e3a35676
SHA1ce4d74e314bca1d23afab5cb5d014f7e8e4efe89
SHA256be554ac1cc79c2b7d5cd6ec35b2167a0e94e76bc78598eeb5c7b82cc366cd537
SHA512137b54335b3b3b8254afbc27bc36b20360abae9dd43d336927cfa08a9c3654448e1c3fc33a559f5000433a482a22c8a03d902b61332b81a60d529ef3d68225fb
-
Filesize
4.2MB
MD5f32077df74efd435a1dcdf415e189df1
SHA12771393d56ff167275bf03170377c43c28ee14e1
SHA25624bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71
SHA512fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850
-
Filesize
4.2MB
MD5f32077df74efd435a1dcdf415e189df1
SHA12771393d56ff167275bf03170377c43c28ee14e1
SHA25624bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71
SHA512fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850
-
Filesize
305KB
MD55d6c90d2cb177500f7b46f8c7caf6531
SHA14fc46eb0cf80073855580ec34b319fe361020379
SHA256e512dc10ff8d33efe688c3214be608a40ecf4f1f7b4f9659ff6efc9a6827ee40
SHA512eb35f337e0a6387d4bc47b6d9be241e4ea2c28936e3b4edc58448fc205b55c8171ec40399293b24e949fbb2a656918056e498b6dbedd6757c7bf2151862aa0d0
-
Filesize
305KB
MD55d6c90d2cb177500f7b46f8c7caf6531
SHA14fc46eb0cf80073855580ec34b319fe361020379
SHA256e512dc10ff8d33efe688c3214be608a40ecf4f1f7b4f9659ff6efc9a6827ee40
SHA512eb35f337e0a6387d4bc47b6d9be241e4ea2c28936e3b4edc58448fc205b55c8171ec40399293b24e949fbb2a656918056e498b6dbedd6757c7bf2151862aa0d0
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
79B
MD51a7daedf4733bcc6c469200bffc5d8b1
SHA19e18b345ca9e6b9f7c378b3060fb878856164330
SHA2561fd13179203c52f4510a768e89cebcc3057490245ad8328ecd7756e5b85b9400
SHA51262ed084e03227149f2940bcc636817666e2f07fe800046ef09f8e91e2d15ff39c689e463f5c7946605384fb6b1e9844f5204fe8615973db528b65b4edcd64309
-
Filesize
60KB
MD53b1d46c4eb061065a5bb32d4fbb86b79
SHA1b04e3e18bee6dc6f298e2242c89041d16eb2d8bf
SHA2564e56158a4c191bff82056902290346109c8354eb7e43ba7de8e127535eb09507
SHA512d024ce1446086c0552d12f2bb117149821637cfaa887e4159a4fd94b0db4dee10126fc2c1577ef00e7efe89ee041b98f26c88996f4058b52300e4cff856af24d
-
Filesize
60KB
MD53b1d46c4eb061065a5bb32d4fbb86b79
SHA1b04e3e18bee6dc6f298e2242c89041d16eb2d8bf
SHA2564e56158a4c191bff82056902290346109c8354eb7e43ba7de8e127535eb09507
SHA512d024ce1446086c0552d12f2bb117149821637cfaa887e4159a4fd94b0db4dee10126fc2c1577ef00e7efe89ee041b98f26c88996f4058b52300e4cff856af24d
-
Filesize
60KB
MD53b1d46c4eb061065a5bb32d4fbb86b79
SHA1b04e3e18bee6dc6f298e2242c89041d16eb2d8bf
SHA2564e56158a4c191bff82056902290346109c8354eb7e43ba7de8e127535eb09507
SHA512d024ce1446086c0552d12f2bb117149821637cfaa887e4159a4fd94b0db4dee10126fc2c1577ef00e7efe89ee041b98f26c88996f4058b52300e4cff856af24d
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
492KB
-
Filesize
600KB