Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 18:55

General

  • Target

    360e24b8c530821239bf751fb43b4cde.exe

  • Size

    196KB

  • MD5

    360e24b8c530821239bf751fb43b4cde

  • SHA1

    76c5e7b061de6a8968f5ba2de6a97bb636330e59

  • SHA256

    7bfc9dbf2eac45bda0976334d99f6355d0468817f3247b2e235ec11df7d62d5e

  • SHA512

    e1981fa4e98a079e76a9e2aa099d294cfad72641fe99f2f9352741c4f5127596283a123cb5c078f00ed4e6e58d9ad2ea3fe830d6ff4f106c1d508d0cb6b22946

  • SSDEEP

    6144:osIt6nW8QWBTyPRqyhYPbncTBlhHrtndnkv0:t9W8CJq8YPbncT30

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe
    "C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2968
    • \??\c:\users\admin\appdata\local\isjleugmru
      "C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe" a -sc:\users\admin\appdata\local\temp\360e24b8c530821239bf751fb43b4cde.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\users\admin\appdata\local\isjleugmru

    Filesize

    92KB

    MD5

    b39831acb2b33424094671414d877d6a

    SHA1

    8b2a41562f8890b150770f4e4b1d7814abd5b2ca

    SHA256

    f46c99860d3048c213a5b61d29080ae52ee3e8fe5283a8b998c2427dd0e5cf7c

    SHA512

    b5034f46c20756bfdd3f6efccbd2c2d70bcb676807350f7a00374a40b8347d607ceb506cd76101338926ca43843f43821b4bb2b3b08f4b2fda004343e631ec2a

  • \Users\Admin\AppData\Local\isjleugmru

    Filesize

    381KB

    MD5

    4e7424a18ffc8d1bd134b3f4dac57dcf

    SHA1

    e92a8820fe3a1781a8b70d72df75570c86154407

    SHA256

    929f0e3b0ce412764938246d9bbac67feb2721ef4d59e801874b59d26d526117

    SHA512

    23e70734b4b27cd4f817783419ab204136206b90c8fbf318ed6572a108fa29be0d8241af064b3973c4bc560ab6dea0a6f01e1af46e7b4219c24a07891f487d88

  • memory/3008-11-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB