Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:25
Behavioral task
behavioral1
Sample
19ed1f40bdd3b351e075af39d3ffa0ae.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
19ed1f40bdd3b351e075af39d3ffa0ae.exe
Resource
win10v2004-20231222-en
General
-
Target
19ed1f40bdd3b351e075af39d3ffa0ae.exe
-
Size
902KB
-
MD5
19ed1f40bdd3b351e075af39d3ffa0ae
-
SHA1
6d20d83656bd4178581dd10df43596ad5f78279b
-
SHA256
36a91eb16f6e147110311584e6d3b39c0e5c4f791c42e46c6175af674c65e9de
-
SHA512
9701ca221669e3f23236e9c5be2caf28bd73470e9474e088f26c6383ec12141d1756e33532f8c9705a62109a2306a8cdfa1e60225fb4c5ff4fdee1b37432ae9a
-
SSDEEP
12288:jt0VPFfsKAkrbPlXhHANUTNqmkupHANUTe:SFksb1Amkuu
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2308 (null)0.exe -
resource yara_rule behavioral1/memory/1972-0-0x0000000000400000-0x00000000004F1000-memory.dmp upx behavioral1/files/0x0009000000016176-5.dat upx behavioral1/memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp upx behavioral1/memory/1972-9-0x00000000026A0000-0x0000000002791000-memory.dmp upx behavioral1/files/0x0009000000016176-8.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19ed1f40bdd3b351e075af39d3ffa0ae.exe" 19ed1f40bdd3b351e075af39d3ffa0ae.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\Windows\(null)0.exe 19ed1f40bdd3b351e075af39d3ffa0ae.exe File opened for modification \??\c:\Windows\BJ.exe 19ed1f40bdd3b351e075af39d3ffa0ae.exe File created \??\c:\Windows\BJ.exe 19ed1f40bdd3b351e075af39d3ffa0ae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2308 1972 19ed1f40bdd3b351e075af39d3ffa0ae.exe 28 PID 1972 wrote to memory of 2308 1972 19ed1f40bdd3b351e075af39d3ffa0ae.exe 28 PID 1972 wrote to memory of 2308 1972 19ed1f40bdd3b351e075af39d3ffa0ae.exe 28 PID 1972 wrote to memory of 2308 1972 19ed1f40bdd3b351e075af39d3ffa0ae.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe"C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\Windows\(null)0.exec:\Windows\(null)0.exe2⤵
- Executes dropped EXE
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD511807d0684499ab797117cba9e72aaeb
SHA158648e2bc9cd1a865e030b817086f734947da049
SHA256f079d7ac988f4ab6409a0859f1fb9d3c9fb9c7dabe726af62823141547d9f59e
SHA5127f8a1d9bfd246a23a1b5089d934fbbef052731437a9ea38bc701c2aa003e806b50e7919e846355780b9de44ecff50dcd7a5bfdb345dd88557dacdfc0e62a1fa5
-
Filesize
413KB
MD501e50e2c4e37b37d5a226f29f3dd22ca
SHA12edc62bfe820fefb55fa68db73a15995dcda1f17
SHA256acb3e010f053d6d4d2d7bf2c15369ccc96423346548972e9955e6176fe0542a0
SHA512160a5ecf3072286eeff2bcf41958f10f5699f5d170560a1b93777ffd113e2dd30c66f5dd9aaa6154b32fb8aa62e9b162a12269522b51b501ab99ea02b142912f