Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 18:55
Behavioral task
behavioral1
Sample
360e24b8c530821239bf751fb43b4cde.exe
Resource
win7-20231129-en
General
-
Target
360e24b8c530821239bf751fb43b4cde.exe
-
Size
196KB
-
MD5
360e24b8c530821239bf751fb43b4cde
-
SHA1
76c5e7b061de6a8968f5ba2de6a97bb636330e59
-
SHA256
7bfc9dbf2eac45bda0976334d99f6355d0468817f3247b2e235ec11df7d62d5e
-
SHA512
e1981fa4e98a079e76a9e2aa099d294cfad72641fe99f2f9352741c4f5127596283a123cb5c078f00ed4e6e58d9ad2ea3fe830d6ff4f106c1d508d0cb6b22946
-
SSDEEP
6144:osIt6nW8QWBTyPRqyhYPbncTBlhHrtndnkv0:t9W8CJq8YPbncT30
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x000c0000000122c4-6.dat family_gh0strat behavioral1/files/0x000c0000000122c4-2.dat family_gh0strat behavioral1/files/0x000a000000013ac5-9.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 1944 isjleugmru -
Executes dropped EXE 1 IoCs
pid Process 1944 isjleugmru -
Loads dropped DLL 2 IoCs
pid Process 2968 360e24b8c530821239bf751fb43b4cde.exe 3008 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\oupbbeykhu svchost.exe File created C:\Windows\SysWOW64\odbtnxdpbp svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1944 isjleugmru 3008 svchost.exe 3008 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeRestorePrivilege 1944 isjleugmru Token: SeBackupPrivilege 1944 isjleugmru Token: SeBackupPrivilege 1944 isjleugmru Token: SeRestorePrivilege 1944 isjleugmru Token: SeBackupPrivilege 3008 svchost.exe Token: SeRestorePrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeSecurityPrivilege 3008 svchost.exe Token: SeSecurityPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeSecurityPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeSecurityPrivilege 3008 svchost.exe Token: SeBackupPrivilege 3008 svchost.exe Token: SeRestorePrivilege 3008 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28 PID 2968 wrote to memory of 1944 2968 360e24b8c530821239bf751fb43b4cde.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe"C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\users\admin\appdata\local\isjleugmru"C:\Users\Admin\AppData\Local\Temp\360e24b8c530821239bf751fb43b4cde.exe" a -sc:\users\admin\appdata\local\temp\360e24b8c530821239bf751fb43b4cde.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5b39831acb2b33424094671414d877d6a
SHA18b2a41562f8890b150770f4e4b1d7814abd5b2ca
SHA256f46c99860d3048c213a5b61d29080ae52ee3e8fe5283a8b998c2427dd0e5cf7c
SHA512b5034f46c20756bfdd3f6efccbd2c2d70bcb676807350f7a00374a40b8347d607ceb506cd76101338926ca43843f43821b4bb2b3b08f4b2fda004343e631ec2a
-
Filesize
381KB
MD54e7424a18ffc8d1bd134b3f4dac57dcf
SHA1e92a8820fe3a1781a8b70d72df75570c86154407
SHA256929f0e3b0ce412764938246d9bbac67feb2721ef4d59e801874b59d26d526117
SHA51223e70734b4b27cd4f817783419ab204136206b90c8fbf318ed6572a108fa29be0d8241af064b3973c4bc560ab6dea0a6f01e1af46e7b4219c24a07891f487d88