Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 13:38
General
-
Target
1a425c5603c76007a5935a3036d884b8.exe
-
Size
192KB
-
MD5
1a425c5603c76007a5935a3036d884b8
-
SHA1
cad18af6cfbc3b8b9508316f7e1c02e3aa8ba4a3
-
SHA256
df623b000d3c8ce0001450f34630d3b6a8c9793cfb3b95fcdf638751e83fd308
-
SHA512
347ba6b40addc48c673513887e4765c64c1c8a59e3678363a6ebc32d5d34ad9ed9aeac68d67645c06c83bac804fd00d62204263472f467a310542ec4004e3cb2
-
SSDEEP
3072:BVmshbnWBsdZCSf2JZdXs9k7u7nTsB2cyrda97eXMKQWzjLFFH9IKF5nivytqHmM:+sBnWBsdZCs4Zdp784gcyrJpQ7c
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\lrltki"C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"a -s2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "netsvcs" -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b19da683f18b5c4a4bcf1061dbf7bed0
SHA1c9d2b6297abd2f7f8e2bfee08dcde429cc1e7141
SHA25654c97c6365e3f2396e261d0517f8c8575f4a2168c503e19ce4f8260f66baaf12
SHA51221cb0310fcca8e7817a79f7aa534d222dd58fe386b22729359afd8b84951db72a682bbc9fd39790504cc3138cdf643743c927b940a9063b8e8008cf97720ea30
-
Filesize
29KB
MD58e590a032f77ede9c2827f7b64086981
SHA167f201c2051f2339b356f79d70c2f1b3285415e6
SHA256d296d3a2267d35d24680893ab8c838dbc43c302a4b485e5d3a764475e748a38f
SHA512f876db349b42a9f7b6b6ab6bc2e86aa27ad3f2763b4e0a40203959fd77b204b7fdded4665cf3333dd4beeaba3bff2d40eac8f24c83f0d2c1551abe4c0a19c51a
-
Filesize
35KB
MD5b3ba37726f58d90a0c939f02210de4e7
SHA11afe76d9f6b12789d6c118816bdd86b98b1c6e25
SHA2564f7c8f9544d887338491c3db46a68d05713f238a10e7d2fe8957a60f9416b7c0
SHA512e0de458c637d3c103687215c472cfc3be5401e77a6cbfb143a7371953edfe87d4707b187a958468a4ee5b70c5941756b6ff2ec253cd8850e443f007491ab1c68
-
Filesize
37KB
MD597a8d0a2b60564846920bb24f91eaa41
SHA15c7b55b5b11c802c48dcec6ed05be706ed868600
SHA256326f6b8fc88d7aa8ea906de55ca50875ed09517a63883e242a90e5dd1ec629e4
SHA512308df54917f1f8e37e33d311748ea818d4e87390603040ad0a05fcd1598418d70d79bc049f5ebdc583dcebfb8093a18fe3adb189cfc66c8ff968c9b934ff93eb