Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

088341e5a0...f1.exe

windows7-x64

10

088341e5a0...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    088341e5a0f8d27e0048b429faac30f1.exe

  • Size

    614KB

  • MD5

    088341e5a0f8d27e0048b429faac30f1

  • SHA1

    8b53e495b1b82f8e72dd2d70b0fd730439eac02f

  • SHA256

    469df9879320a3661e10006c71fa25ec2ddee91e398947c0ac551cd385296ca3

  • SHA512

    ffa931bb7b6cf7f08981baf8b7e85bbf62206805336a0ef49776de5d7992e6abcbd339c27274348e43748ef64e4290fcb1707de933c7d3f0e073d971a669455e

  • SSDEEP

    12288:3/eC0vZVQQxfnr+TK7r79/JenWAG36ATphjM5Bvd:3/XwVQQxfnr+TK7r79/Je3GqArjM5Bvd

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\088341e5a0f8d27e0048b429faac30f1.exe
    "C:\Users\Admin\AppData\Local\Temp\088341e5a0f8d27e0048b429faac30f1.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2408
    • \??\c:\Windows\svchest425112042511200.exe
      c:\Windows\svchest425112042511200.exe
      2⤵
      • Executes dropped EXE
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest425112042511200.exe
    Filesize

    329KB

    MD5

    f407bfc67357abdadb6f6c717566210d

    SHA1

    fc8e3502f01a4438764981f60c7e8e5d05643b24

    SHA256

    f9e4fb22202a0265f3a7141cbeea15c4873a8b3b3c94327fccee33b0c543c777

    SHA512

    225a6503aea03f08ff29a96369b1c1c14614212bd539cd0ec40488a3e323d9cbdd4b3d5e5cfe862b70c555c9ca2ace72990e07cc57a426111a9fdcf3bc2b3dca

    Download Submit

  • C:\Windows\svchest425112042511200.exe
    Filesize

    297KB

    MD5

    5ec07e02747f4f56d5f6fe90ba37eaff

    SHA1

    68ebcf8ff5d2942629ccb6f49f2186b73eac6fc3

    SHA256

    cfaf215a7181050ed55d4411a7027a84a232f121b6e68448df1e4ddf72713e65

    SHA512

    a77077a8994bbf2ef7781bf36ea621fe23914fcfaef6f704e90dbf57524747f24de4c76114331877cf8756351c8cd46bf7a5ed11aee00783fe4a07062960f0a5

    Download Submit

  • \??\c:\Windows\svchest425112042511200.exe
    Filesize

    382KB

    MD5

    045072c2392d971b112c859d8e221172

    SHA1

    fcd4f876674df03dfe1eb6c603446a5204095868

    SHA256

    a6f844d16ddcb97cff0d1a45c42538a635db9396ac51242db1179d4bf8c080df

    SHA512

    867038ced32d41b599154f79676b6546855794d0775b1b23c2bed07e8e9ac236307002309671e55dd9998ce2fb090e8f2959e0642055e0dd2b422d48d4ef0040

    Download Submit