Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 02:06
Behavioral task
behavioral1
Sample
23e43d7a5d3e5422e7369143f6b0c461.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
23e43d7a5d3e5422e7369143f6b0c461.exe
Resource
win10v2004-20231215-en
General
-
Target
23e43d7a5d3e5422e7369143f6b0c461.exe
-
Size
916KB
-
MD5
23e43d7a5d3e5422e7369143f6b0c461
-
SHA1
fab82ebd489b3b6e229f38252c248536f6116a68
-
SHA256
78c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a
-
SHA512
a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6
-
SSDEEP
12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZRJ:iM5j8Z3aKHx5r+TuxX+IwffFZRJ
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000014fdd-4.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2112 svchest001465662051.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe" 23e43d7a5d3e5422e7369143f6b0c461.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\Windows\svchest001465662051.exe 23e43d7a5d3e5422e7369143f6b0c461.exe File opened for modification \??\c:\Windows\svchest001465662051.exe 23e43d7a5d3e5422e7369143f6b0c461.exe File created \??\c:\Windows\notepab.exe 23e43d7a5d3e5422e7369143f6b0c461.exe File created \??\c:\Windows\BJ.exe 23e43d7a5d3e5422e7369143f6b0c461.exe File opened for modification \??\c:\Windows\BJ.exe 23e43d7a5d3e5422e7369143f6b0c461.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2112 2672 23e43d7a5d3e5422e7369143f6b0c461.exe 28 PID 2672 wrote to memory of 2112 2672 23e43d7a5d3e5422e7369143f6b0c461.exe 28 PID 2672 wrote to memory of 2112 2672 23e43d7a5d3e5422e7369143f6b0c461.exe 28 PID 2672 wrote to memory of 2112 2672 23e43d7a5d3e5422e7369143f6b0c461.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe"C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\Windows\svchest001465662051.exec:\Windows\svchest001465662051.exe2⤵
- Executes dropped EXE
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
916KB
MD523e43d7a5d3e5422e7369143f6b0c461
SHA1fab82ebd489b3b6e229f38252c248536f6116a68
SHA25678c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a
SHA512a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6