Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 20:25
Behavioral task
behavioral1
Sample
030ce9025e3b0093a26cd7b81e63a1cb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
030ce9025e3b0093a26cd7b81e63a1cb.exe
Resource
win10v2004-20231215-en
General
-
Target
030ce9025e3b0093a26cd7b81e63a1cb.exe
-
Size
524KB
-
MD5
030ce9025e3b0093a26cd7b81e63a1cb
-
SHA1
52600bacc4d3b0351a4da1e4011f694db33f22b5
-
SHA256
745ae4a224b7ee9aa20f1a880357d66c720ef163b8b183d99de4a1841a05afab
-
SHA512
c90ce30de3efdc6b9696afff1eb3c4223113adf739aee602bf8311f23ffe7c0815e0d4488682b3267ac206a4de53d0db3607d0f28ae47006e7593e7b232e54dd
-
SSDEEP
12288:q08PKZVQQxfnr+TK7r79/J0NWNf37JcAayM5ahHjJ:t8AVQQxfnr+TK7r79/J0ofrJEyM5ahDJ
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000d00000001473e-4.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2288 (null)0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\030ce9025e3b0093a26cd7b81e63a1cb.exe" 030ce9025e3b0093a26cd7b81e63a1cb.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\Windows\BJ.exe 030ce9025e3b0093a26cd7b81e63a1cb.exe File opened for modification \??\c:\Windows\BJ.exe 030ce9025e3b0093a26cd7b81e63a1cb.exe File created \??\c:\Windows\(null)0.exe 030ce9025e3b0093a26cd7b81e63a1cb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2288 1200 030ce9025e3b0093a26cd7b81e63a1cb.exe 28 PID 1200 wrote to memory of 2288 1200 030ce9025e3b0093a26cd7b81e63a1cb.exe 28 PID 1200 wrote to memory of 2288 1200 030ce9025e3b0093a26cd7b81e63a1cb.exe 28 PID 1200 wrote to memory of 2288 1200 030ce9025e3b0093a26cd7b81e63a1cb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\030ce9025e3b0093a26cd7b81e63a1cb.exe"C:\Users\Admin\AppData\Local\Temp\030ce9025e3b0093a26cd7b81e63a1cb.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\Windows\(null)0.exec:\Windows\(null)0.exe2⤵
- Executes dropped EXE
PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD5030ce9025e3b0093a26cd7b81e63a1cb
SHA152600bacc4d3b0351a4da1e4011f694db33f22b5
SHA256745ae4a224b7ee9aa20f1a880357d66c720ef163b8b183d99de4a1841a05afab
SHA512c90ce30de3efdc6b9696afff1eb3c4223113adf739aee602bf8311f23ffe7c0815e0d4488682b3267ac206a4de53d0db3607d0f28ae47006e7593e7b232e54dd