Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 13:25

General

  • Target

    19ed1f40bdd3b351e075af39d3ffa0ae.exe

  • Size

    902KB

  • MD5

    19ed1f40bdd3b351e075af39d3ffa0ae

  • SHA1

    6d20d83656bd4178581dd10df43596ad5f78279b

  • SHA256

    36a91eb16f6e147110311584e6d3b39c0e5c4f791c42e46c6175af674c65e9de

  • SHA512

    9701ca221669e3f23236e9c5be2caf28bd73470e9474e088f26c6383ec12141d1756e33532f8c9705a62109a2306a8cdfa1e60225fb4c5ff4fdee1b37432ae9a

  • SSDEEP

    12288:jt0VPFfsKAkrbPlXhHANUTNqmkupHANUTe:SFksb1Amkuu

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe
    "C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1972
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:2308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe

    Filesize

    695KB

    MD5

    11807d0684499ab797117cba9e72aaeb

    SHA1

    58648e2bc9cd1a865e030b817086f734947da049

    SHA256

    f079d7ac988f4ab6409a0859f1fb9d3c9fb9c7dabe726af62823141547d9f59e

    SHA512

    7f8a1d9bfd246a23a1b5089d934fbbef052731437a9ea38bc701c2aa003e806b50e7919e846355780b9de44ecff50dcd7a5bfdb345dd88557dacdfc0e62a1fa5

  • C:\Windows\(null)0.exe

    Filesize

    413KB

    MD5

    01e50e2c4e37b37d5a226f29f3dd22ca

    SHA1

    2edc62bfe820fefb55fa68db73a15995dcda1f17

    SHA256

    acb3e010f053d6d4d2d7bf2c15369ccc96423346548972e9955e6176fe0542a0

    SHA512

    160a5ecf3072286eeff2bcf41958f10f5699f5d170560a1b93777ffd113e2dd30c66f5dd9aaa6154b32fb8aa62e9b162a12269522b51b501ab99ea02b142912f

  • memory/1972-0-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

  • memory/1972-12-0x00000000026A0000-0x0000000002791000-memory.dmp

    Filesize

    964KB

  • memory/1972-9-0x00000000026A0000-0x0000000002791000-memory.dmp

    Filesize

    964KB

  • memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB