Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 13:38

General

  • Target

    1a425c5603c76007a5935a3036d884b8.exe

  • Size

    192KB

  • MD5

    1a425c5603c76007a5935a3036d884b8

  • SHA1

    cad18af6cfbc3b8b9508316f7e1c02e3aa8ba4a3

  • SHA256

    df623b000d3c8ce0001450f34630d3b6a8c9793cfb3b95fcdf638751e83fd308

  • SHA512

    347ba6b40addc48c673513887e4765c64c1c8a59e3678363a6ebc32d5d34ad9ed9aeac68d67645c06c83bac804fd00d62204263472f467a310542ec4004e3cb2

  • SSDEEP

    3072:BVmshbnWBsdZCSf2JZdXs9k7u7nTsB2cyrda97eXMKQWzjLFFH9IKF5nivytqHmM:+sBnWBsdZCs4Zdp784gcyrJpQ7c

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe
    "C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2196
    • \??\c:\users\admin\appdata\local\fuwmdl
      "C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"a -s
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "netsvcs"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\fuwmdl

    Filesize

    18KB

    MD5

    4a978ce0c7936a0fa71e98c53fdcf65b

    SHA1

    c565ece9e36123f80dcd42318883d4712b6df2d2

    SHA256

    9bffa00478854b93d8c007a67e2b648a075b8ecd65fbb1edbc614e6ba68729a0

    SHA512

    38949401743b5a7703673c54de1d6b8ad5572f3dcc8c45d66e125f6e0b9ee2c3ed2c52c29d7c6c88e0adfc3e20b0aeaa6feba634926eee99d1aa71f50e03e818

  • \??\c:\users\admin\appdata\local\fuwmdl

    Filesize

    35KB

    MD5

    69fd2700f0f8b8822f38a99ae661ef43

    SHA1

    9ef025fe79f496b2b158175989bcbfeebecad2ef

    SHA256

    8d476dc4ab2478bc0e86d09195dfe7d16b099297a7991b15a970c5ee0a4dd125

    SHA512

    4c0407d8596d55ed1c67debcab4091072bd69ee960f411cfb235634a23944f4d9033f9ff74022e14f6aaeb8c703406bd569f1a89f88d4e033e58170cceeb351e

  • \??\c:\windows\SysWOW64\feckk.biz

    Filesize

    14KB

    MD5

    36fe2ee9603a34a12f89343327281ad7

    SHA1

    401a8472a62bd65f5726720156bce70eca32285c

    SHA256

    b4b8d64cbb1f0e6f71af65f3e9b710fcfa69d0fc4e06d542340f8e0ce32bab44

    SHA512

    49ca07601dd23ff0e97f57f6119a6f55c015d88372feb7384210b2446bf8acf9286f1e207968119924bbb267301926ca34553f7cd230e947118c739d1aa2e571

  • \Users\Admin\AppData\Local\fuwmdl

    Filesize

    34KB

    MD5

    cf9d47e47d67a091b9ccd551eaac0035

    SHA1

    8a4594a532be1945d43c53eaa322769f480afae9

    SHA256

    06e0a0c61110e1aa8479bb1705f4fe4413bf23b7b4900fde4f11e1b011922251

    SHA512

    0c557470595714ab6340fb68210e1766d2740f719a5ec0a990a21f7d2fdabb7ca3b4ea99a45ddab4d38e774d46d99cd0413d69921e1f3a88fb5989ffe682b7d5

  • \Windows\SysWOW64\feckk.biz

    Filesize

    16KB

    MD5

    5c394ebcd749e891e97cde4127b0145f

    SHA1

    9b77847dcb400da3498bb206f0e2756a40bfd387

    SHA256

    ef6e89a88085d89de1b13a0128f0bd60193a8e5491022295c6ed16cf7452e995

    SHA512

    06795025a31bd93eea8fec30ec115d88ae45f6428b665d7df0315cace1feffbefe85ba4a29d590b7cf79d437d7a7cd805326a612950050908fc675ef064b0a5a