Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

3f716c25e7...e5.exe

windows7-x64

10

3f716c25e7...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f716c25e7df8ce2fc0274e25020e9e5.exe

  • Size

    124KB

  • MD5

    3f716c25e7df8ce2fc0274e25020e9e5

  • SHA1

    5db0dc65a755898203c110bf139f677fe61be3e1

  • SHA256

    7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd

  • SHA512

    1b9bd43d3c7c774ce54a25430ccd87ee2e81dc3537e1917eb44712e80114bfbd12d7fc5cc4361d2e3a21433aa15cf9529cdf927d85150b82ad3225db074f1adc

  • SSDEEP

    3072:sswzCxfRbmdkIXs2+4fiKwjsb1Fe4U8Q2aSn95:+zwdmdtX/KKWsb1pYs95

Score
10/10
gh0stratpersistenceratvmprotect

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    PID:2960
  • C:\Users\Admin\AppData\Local\Temp\tempdir.exe
    C:\Users\Admin\AppData\Local\Temp\tempdir.exe
    1⤵
    • Drops file in Drivers directory
    • Sets DLL path for service in the registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:2944
  • C:\Users\Admin\AppData\Local\Temp\3f716c25e7df8ce2fc0274e25020e9e5.exe
    "C:\Users\Admin\AppData\Local\Temp\3f716c25e7df8ce2fc0274e25020e9e5.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tempdir.exe
    Filesize

    50KB

    MD5

    659cdc570b7e2a0b2b489442e2f89e49

    SHA1

    65fc9f2cfdbd254cc0931a1346cdb7ef4b3dd9f8

    SHA256

    ced8b1bb0cd38391f34cf348a495708cd0596991aa31d8a5cfdf2ef9d0c2f050

    SHA512

    98a0117f05489995394f7e32005d74652b75bf64533b8c61c43106a1dadc1c704b30dbeaea58cae36b6b728cfb36d089536a97a95ab6f723e854c6113a659e2a

    Download Submit

  • C:\Windows\SysWOW64\install.tmp
    Filesize

    45B

    MD5

    892c7552aec2c2f02d1b1d59b4652483

    SHA1

    a4a466cab59f02810a8c389298fc8e28870eeff2

    SHA256

    3d3d2111300afb78931cf172f516a34a6c49a0c65db7060a504991b72c70bf1b

    SHA512

    53ca994d8b509e00c2ab097bf65fe32e93d14751ae0b46ccd7a8b52607dde0297beeef4c16b5f11116c8785e39d3021ef7e4041a9d0c92160c04c4dd26a6c920

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dll.tmp
    Filesize

    95KB

    MD5

    c3c68e29118de190c10c26175164b25e

    SHA1

    7abcfa9a9b87e2dd52c9d7dc52017b0dc94c5eca

    SHA256

    b536f46337b0a5ba06a20fb9dbe47f2d779c1c0f7683b1185a647efce1191d31

    SHA512

    53e55a61b1266d2a66f5c7ecf177293411f54d845e94176332539b46fd4dcb057beffc2f8c6888621ca12cefe8253408708de894b177bc64356a1e0adb962586

    Download Submit

  • \Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll
    Filesize

    95KB

    MD5

    2d9fb598db8f2eabfb8114f803b7664d

    SHA1

    4eeae3474be1c999f07152a62c6a4b8d4b06b81a

    SHA256

    367e2ceabed8aa44d92febf26d8010663393e004f9fcbc617d7f29ff9b2d1d4e

    SHA512

    ebae22aaf51abb3dc47b79b94f2597873694c9e477ff0861bc3ac01c8c14d82f7297009d80f072b227e00630b94e7e0ae1476b512608ff700fc1d3969e270d02

    Download Submit

  • memory/1732-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1732-11-0x0000000000220000-0x000000000024F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-9-0x0000000000220000-0x000000000024F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-0-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2944-19-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2944-13-0x0000000000400000-0x000000000042E77B-memory.dmp

    Filesize

    185KB

    Download