Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 10:14

General

  • Target

    PCBoost.exe

  • Size

    291KB

  • MD5

    8e082840ba73601cf3500b473be9530a

  • SHA1

    cfaf2f80209bba131ce916610f224718dec4a4a1

  • SHA256

    f2a842bf291c54705a59e3a4c388310e692ec1608dbfc3c4921b709b2f45193f

  • SHA512

    16694c951e851533b6088be619f31208e989611c32f3d191c1bc1af6fb76c493874d1b382e56bf748e00210a21d63055c985decc71fff0f3a81adc09551cbe25

  • SSDEEP

    3072:Inj9jtfU+INndIc0JWo5vmu2bOsmu2bOns8AbphCFUARI0Fx5IlBANTQ9a+mrMnm:IjbeiHibVibws8AujIbAN89RmUhV5sCw

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PCBoost.exe
    "C:\Users\Admin\AppData\Local\Temp\PCBoost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃǺÃ~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃǺÃ~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Windows\system32\PPSAHD.dll setup
        3⤵
        • Sets DLL path for service in the registry
        PID:2420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 372
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2740
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
      PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃǺÃ~1.EXE

      Filesize

      51KB

      MD5

      f789296c231b8a057b5687c9d0775f99

      SHA1

      29a9481b5cf64655e6f8e06f944b2cf2ac871585

      SHA256

      0b60ef302c3df351941bc936572ddb69770ce226cd3418ea433a1dc92325c76c

      SHA512

      7b538de2c842e1894badda2a98125d4c3ae7344cc5b977f0d9b153708d69d3e0f54bbec0c784ad794eb5512d3a957491676e92a602d1ce7ca1eb28dfd93b6b84

    • \Users\Admin\AppData\Local\Temp\Server.tmp

      Filesize

      108KB

      MD5

      7a6e39ef6874d2ae9e6bbd2d0fd21a29

      SHA1

      6a4baa6c7f1722ae2c5598e0c9ef104431660267

      SHA256

      073fe0cf6f7229cd0498852c56b5d42165ff190ed938aec5dbb47f8d330c3ab2

      SHA512

      e59abbdf920a9aa91e3dedd468b8655616fe13f6fcee17b05340592f09d8e84dc86387495d0ffe5f645649bc6234ebc1705b9d1320f090a21be00f14d53c7475

    • memory/1644-9-0x00000000001C0000-0x00000000001EE000-memory.dmp

      Filesize

      184KB

    • memory/1644-10-0x00000000001C0000-0x00000000001EE000-memory.dmp

      Filesize

      184KB

    • memory/1644-26-0x00000000001C0000-0x00000000001EE000-memory.dmp

      Filesize

      184KB

    • memory/1644-25-0x00000000001C0000-0x00000000001EE000-memory.dmp

      Filesize

      184KB

    • memory/1752-11-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1752-27-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB