Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 15:21
Behavioral task
behavioral1
Sample
0383d9b89c79c31c78dc3fc01b6bd4fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0383d9b89c79c31c78dc3fc01b6bd4fb.exe
Resource
win10v2004-20231215-en
General
-
Target
0383d9b89c79c31c78dc3fc01b6bd4fb.exe
-
Size
668KB
-
MD5
0383d9b89c79c31c78dc3fc01b6bd4fb
-
SHA1
dd2c003bef0b2b9800404178a5582af4cf86d5ad
-
SHA256
66fd0db31f99ed1ca05b961ab1a86ec56d3d54e3cef269ed906be1c32d302f02
-
SHA512
0ccac8a7a18a6cb9afefe44234462b34c967b4c467dc3513595554dcdb724016f7eecb8622799246ca26fe9b8cb100af12275c066b2eb91302ad88f955a39b86
-
SSDEEP
12288:3/eC0vZVQQxfnr+TK7r79/JenWAG36ATphjM5Bv9:3/XwVQQxfnr+TK7r79/Je3GqArjM5Bv9
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x00300000000152f8-4.dat family_gh0strat behavioral1/files/0x00300000000152f8-6.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2448 svchest000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe" 0383d9b89c79c31c78dc3fc01b6bd4fb.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\Windows\notepab.exe 0383d9b89c79c31c78dc3fc01b6bd4fb.exe File created \??\c:\Windows\BJ.exe 0383d9b89c79c31c78dc3fc01b6bd4fb.exe File opened for modification \??\c:\Windows\BJ.exe 0383d9b89c79c31c78dc3fc01b6bd4fb.exe File created \??\c:\Windows\svchest000.exe 0383d9b89c79c31c78dc3fc01b6bd4fb.exe File opened for modification \??\c:\Windows\svchest000.exe 0383d9b89c79c31c78dc3fc01b6bd4fb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2448 2028 0383d9b89c79c31c78dc3fc01b6bd4fb.exe 28 PID 2028 wrote to memory of 2448 2028 0383d9b89c79c31c78dc3fc01b6bd4fb.exe 28 PID 2028 wrote to memory of 2448 2028 0383d9b89c79c31c78dc3fc01b6bd4fb.exe 28 PID 2028 wrote to memory of 2448 2028 0383d9b89c79c31c78dc3fc01b6bd4fb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0383d9b89c79c31c78dc3fc01b6bd4fb.exe"C:\Users\Admin\AppData\Local\Temp\0383d9b89c79c31c78dc3fc01b6bd4fb.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\Windows\svchest000.exec:\Windows\svchest000.exe2⤵
- Executes dropped EXE
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
623KB
MD5f445212baec163e174e0f3d6b232c502
SHA1c6f4b4873ad4c1fefb47f5ccf4f3f2256e14d70c
SHA25653f100c831ea189fb06c2bea92cee8e80589925594f54d7e8c2f31c9373f3f3f
SHA5128403875f04cc3a3b4c3cd94ace1343f3882e059061462c7f07672657d48994ba7ba70f34e9a4630cd83f2a876f5ed6ae3485cebc1bc2be53eb6bd6f36646a73c
-
Filesize
434KB
MD55c47aa979da42a463f42ec3c18d4525b
SHA1ccacd5ed63c03630784f4b0cf036f210422f7d44
SHA25657ea051feee18c284d6a33446aacfe9a67f8c34bf7d226ffdde41b8291a25fd9
SHA51299a39cccf0f402b984ed638aab16afff1d9f78b55b4857ba87d6b1f6b09ecaba0ef40c8366e6d9ee57bdaa672d0eb212ce546ac090db085e49c7c2c7036ef26d