Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 17:28
Behavioral task
behavioral1
Sample
088341e5a0f8d27e0048b429faac30f1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
088341e5a0f8d27e0048b429faac30f1.exe
Resource
win10v2004-20231215-en
General
-
Target
088341e5a0f8d27e0048b429faac30f1.exe
-
Size
614KB
-
MD5
088341e5a0f8d27e0048b429faac30f1
-
SHA1
8b53e495b1b82f8e72dd2d70b0fd730439eac02f
-
SHA256
469df9879320a3661e10006c71fa25ec2ddee91e398947c0ac551cd385296ca3
-
SHA512
ffa931bb7b6cf7f08981baf8b7e85bbf62206805336a0ef49776de5d7992e6abcbd339c27274348e43748ef64e4290fcb1707de933c7d3f0e073d971a669455e
-
SSDEEP
12288:3/eC0vZVQQxfnr+TK7r79/JenWAG36ATphjM5Bvd:3/XwVQQxfnr+TK7r79/Je3GqArjM5Bvd
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000015647-6.dat family_gh0strat behavioral1/files/0x000b000000015647-4.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2344 svchest000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe" 088341e5a0f8d27e0048b429faac30f1.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\Windows\BJ.exe 088341e5a0f8d27e0048b429faac30f1.exe File opened for modification \??\c:\Windows\BJ.exe 088341e5a0f8d27e0048b429faac30f1.exe File created \??\c:\Windows\svchest000.exe 088341e5a0f8d27e0048b429faac30f1.exe File opened for modification \??\c:\Windows\svchest000.exe 088341e5a0f8d27e0048b429faac30f1.exe File created \??\c:\Windows\notepab.exe 088341e5a0f8d27e0048b429faac30f1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2344 2656 088341e5a0f8d27e0048b429faac30f1.exe 26 PID 2656 wrote to memory of 2344 2656 088341e5a0f8d27e0048b429faac30f1.exe 26 PID 2656 wrote to memory of 2344 2656 088341e5a0f8d27e0048b429faac30f1.exe 26 PID 2656 wrote to memory of 2344 2656 088341e5a0f8d27e0048b429faac30f1.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\088341e5a0f8d27e0048b429faac30f1.exe"C:\Users\Admin\AppData\Local\Temp\088341e5a0f8d27e0048b429faac30f1.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\Windows\svchest000.exec:\Windows\svchest000.exe2⤵
- Executes dropped EXE
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD55c747cf81c7c97ebea04fe764864c4bb
SHA1360d56d6ff9aa012a272ea4a5ca8446b3d6a57bc
SHA256ff12f683be256c6f57d1a55b58b2ca55d7ca709a512fb59afa037e6bb03584f5
SHA51277482f18eecc13de33fa2389292fed7a59b4f2c8cc50261e1751309676616d990902a8aa5ba7736a8eb3568a328d3635679b6b5d85e13a6a6fbe86a8e16c5d6e
-
Filesize
145KB
MD53cb56cd5a654e3d82fc8e618311b8c4f
SHA1978729a16280d294a157a605aa76b3ece902791a
SHA256f46b6824e329f10abd39aba2c71705c3ddf8b001d42a9752d270f600cebf6545
SHA512389edc6c2e73a2fb621bb50bfb9e2526b2822fd5770fcd146559a7c784a5076d1ed17d350caa1ff6698b602a495c28ca7bf6336b116f64992b7cb4d5a40d9373