Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe
Resource
win10v2004-20231023-en
General
-
Target
bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe
-
Size
400KB
-
MD5
cb5d9f4f007a89a5843d6620176696cd
-
SHA1
a3118005480625a2328caa17c504da4e66194152
-
SHA256
bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55
-
SHA512
4834a2dc4155c2e92934d1c5357c2bb1f674d0e1a8621c55b07e97f7e64c6bb8554673c87343549e729d57b54a7b72ba5dc2ff554c83b1bc0451a8593f001fdd
-
SSDEEP
6144:kIMNc8ESDZNmwR/NkPa05Udb79fbHbpX6Zl:kIYc8ES1NmwR/iPa6Udb5fbH2
Malware Config
Extracted
gh0strat
hdalulnc.e3.luyouxia.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2136-0-0x0000000010000000-0x0000000010010000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2200 Icmcokm.exe 3068 Icmcokm.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Icmcokm.exe bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe File created C:\Program Files (x86)\Icmcokm.exe bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3068 2200 Icmcokm.exe 29 PID 2200 wrote to memory of 3068 2200 Icmcokm.exe 29 PID 2200 wrote to memory of 3068 2200 Icmcokm.exe 29 PID 2200 wrote to memory of 3068 2200 Icmcokm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe"C:\Users\Admin\AppData\Local\Temp\bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55.exe"1⤵
- Drops file in Program Files directory
PID:2136
-
C:\Program Files (x86)\Icmcokm.exe"C:\Program Files (x86)\Icmcokm.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files (x86)\Icmcokm.exe"C:\Program Files (x86)\Icmcokm.exe" Win72⤵
- Executes dropped EXE
PID:3068
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD5cb5d9f4f007a89a5843d6620176696cd
SHA1a3118005480625a2328caa17c504da4e66194152
SHA256bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55
SHA5124834a2dc4155c2e92934d1c5357c2bb1f674d0e1a8621c55b07e97f7e64c6bb8554673c87343549e729d57b54a7b72ba5dc2ff554c83b1bc0451a8593f001fdd
-
Filesize
400KB
MD5cb5d9f4f007a89a5843d6620176696cd
SHA1a3118005480625a2328caa17c504da4e66194152
SHA256bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55
SHA5124834a2dc4155c2e92934d1c5357c2bb1f674d0e1a8621c55b07e97f7e64c6bb8554673c87343549e729d57b54a7b72ba5dc2ff554c83b1bc0451a8593f001fdd
-
Filesize
400KB
MD5cb5d9f4f007a89a5843d6620176696cd
SHA1a3118005480625a2328caa17c504da4e66194152
SHA256bfa50a51db2f82d3ded8771bf3accb9ed7caf24429e837c234860428e483ca55
SHA5124834a2dc4155c2e92934d1c5357c2bb1f674d0e1a8621c55b07e97f7e64c6bb8554673c87343549e729d57b54a7b72ba5dc2ff554c83b1bc0451a8593f001fdd