Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:38
Static task
static1
Behavioral task
behavioral1
Sample
1a425c5603c76007a5935a3036d884b8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1a425c5603c76007a5935a3036d884b8.exe
Resource
win10v2004-20231215-en
General
-
Target
1a425c5603c76007a5935a3036d884b8.exe
-
Size
192KB
-
MD5
1a425c5603c76007a5935a3036d884b8
-
SHA1
cad18af6cfbc3b8b9508316f7e1c02e3aa8ba4a3
-
SHA256
df623b000d3c8ce0001450f34630d3b6a8c9793cfb3b95fcdf638751e83fd308
-
SHA512
347ba6b40addc48c673513887e4765c64c1c8a59e3678363a6ebc32d5d34ad9ed9aeac68d67645c06c83bac804fd00d62204263472f467a310542ec4004e3cb2
-
SSDEEP
3072:BVmshbnWBsdZCSf2JZdXs9k7u7nTsB2cyrda97eXMKQWzjLFFH9IKF5nivytqHmM:+sBnWBsdZCs4Zdp784gcyrJpQ7c
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0035000000016cd3-9.dat family_gh0strat behavioral1/files/0x0035000000016cd3-10.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2496 fuwmdl -
Executes dropped EXE 1 IoCs
pid Process 2496 fuwmdl -
Loads dropped DLL 2 IoCs
pid Process 2196 1a425c5603c76007a5935a3036d884b8.exe 2416 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\hmvgwjkghk svchost.exe File created C:\Windows\SysWOW64\hujyfmmduf svchost.exe File opened for modification C:\Windows\SysWOW64\feckk.biz fuwmdl -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2416 svchost.exe 2416 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2196 1a425c5603c76007a5935a3036d884b8.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeRestorePrivilege 2496 fuwmdl Token: SeBackupPrivilege 2496 fuwmdl Token: SeBackupPrivilege 2496 fuwmdl Token: SeRestorePrivilege 2496 fuwmdl Token: SeBackupPrivilege 2416 svchost.exe Token: SeRestorePrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeRestorePrivilege 2416 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28 PID 2196 wrote to memory of 2496 2196 1a425c5603c76007a5935a3036d884b8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\users\admin\appdata\local\fuwmdl"C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"a -s2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "netsvcs"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD54a978ce0c7936a0fa71e98c53fdcf65b
SHA1c565ece9e36123f80dcd42318883d4712b6df2d2
SHA2569bffa00478854b93d8c007a67e2b648a075b8ecd65fbb1edbc614e6ba68729a0
SHA51238949401743b5a7703673c54de1d6b8ad5572f3dcc8c45d66e125f6e0b9ee2c3ed2c52c29d7c6c88e0adfc3e20b0aeaa6feba634926eee99d1aa71f50e03e818
-
Filesize
35KB
MD569fd2700f0f8b8822f38a99ae661ef43
SHA19ef025fe79f496b2b158175989bcbfeebecad2ef
SHA2568d476dc4ab2478bc0e86d09195dfe7d16b099297a7991b15a970c5ee0a4dd125
SHA5124c0407d8596d55ed1c67debcab4091072bd69ee960f411cfb235634a23944f4d9033f9ff74022e14f6aaeb8c703406bd569f1a89f88d4e033e58170cceeb351e
-
Filesize
14KB
MD536fe2ee9603a34a12f89343327281ad7
SHA1401a8472a62bd65f5726720156bce70eca32285c
SHA256b4b8d64cbb1f0e6f71af65f3e9b710fcfa69d0fc4e06d542340f8e0ce32bab44
SHA51249ca07601dd23ff0e97f57f6119a6f55c015d88372feb7384210b2446bf8acf9286f1e207968119924bbb267301926ca34553f7cd230e947118c739d1aa2e571
-
Filesize
34KB
MD5cf9d47e47d67a091b9ccd551eaac0035
SHA18a4594a532be1945d43c53eaa322769f480afae9
SHA25606e0a0c61110e1aa8479bb1705f4fe4413bf23b7b4900fde4f11e1b011922251
SHA5120c557470595714ab6340fb68210e1766d2740f719a5ec0a990a21f7d2fdabb7ca3b4ea99a45ddab4d38e774d46d99cd0413d69921e1f3a88fb5989ffe682b7d5
-
Filesize
16KB
MD55c394ebcd749e891e97cde4127b0145f
SHA19b77847dcb400da3498bb206f0e2756a40bfd387
SHA256ef6e89a88085d89de1b13a0128f0bd60193a8e5491022295c6ed16cf7452e995
SHA51206795025a31bd93eea8fec30ec115d88ae45f6428b665d7df0315cace1feffbefe85ba4a29d590b7cf79d437d7a7cd805326a612950050908fc675ef064b0a5a