Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231222-en
General
-
Target
tmp.exe
-
Size
2.5MB
-
MD5
945d2c9d9eeb48366f3f29f1038ec995
-
SHA1
0997d0b535248bb80a0c127cab8b9dd9c3bceec3
-
SHA256
38793cdce198f9972b28a4c2e1d1f909ae9b0ef93417ff54ab729db329733027
-
SHA512
751686c17e6c35f02c11074553974914b5afb661fd3ffd83aed6d8882d9fb6d9ccc12b34b03e39edaedb5054074f7e3bf4094b7510c5d4071e57ea123dc0fbab
-
SSDEEP
24576:ynsJ39LyjbJkQFMhmC+6GD9hYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnPyzwOe+atyC:ynsHyjtk2MYC5GDrYREXSVMDi3XR+qf
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral2/memory/3280-202-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/3280-204-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/3280-201-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/3280-200-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/2996-235-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/2996-239-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/2996-237-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat behavioral2/memory/2996-234-0x0000000010000000-0x0000000010121000-memory.dmp family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240602375.bat" look2.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240601500.bat" look2.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 8 IoCs
pid Process 4112 ._cache_tmp.exe 2000 look2.exe 984 Synaptics.exe 3280 HD_._cache_tmp.exe 4352 ._cache_Synaptics.exe 828 look2.exe 2996 HD_._cache_Synaptics.exe 4912 svchcst.exe -
Loads dropped DLL 4 IoCs
pid Process 2000 look2.exe 3996 svchost.exe 828 look2.exe 4912 svchcst.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXEB285D75 = "C:\\Windows\\XXXXXXEB285D75\\svchsot.exe" HD_._cache_tmp.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ini.ini look2.exe File created C:\Windows\SysWOW64\240601500.bat look2.exe File opened for modification C:\Windows\SysWOW64\ini.ini look2.exe File created C:\Windows\SysWOW64\svchcst.exe svchost.exe File opened for modification C:\Windows\SysWOW64\svchcst.exe svchost.exe File created C:\Windows\SysWOW64\240602375.bat look2.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe ._cache_tmp.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\XXXXXXEB285D75\svchsot.exe HD_._cache_tmp.exe File opened for modification C:\Windows\XXXXXXEB285D75\svchsot.exe HD_._cache_tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4112 ._cache_tmp.exe 4112 ._cache_tmp.exe 3280 HD_._cache_tmp.exe 3280 HD_._cache_tmp.exe 3280 HD_._cache_tmp.exe 3280 HD_._cache_tmp.exe 3280 HD_._cache_tmp.exe 3280 HD_._cache_tmp.exe 4352 ._cache_Synaptics.exe 4352 ._cache_Synaptics.exe 2996 HD_._cache_Synaptics.exe 2996 HD_._cache_Synaptics.exe 2996 HD_._cache_Synaptics.exe 2996 HD_._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4112 ._cache_tmp.exe 4112 ._cache_tmp.exe 4352 ._cache_Synaptics.exe 4352 ._cache_Synaptics.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4164 wrote to memory of 4112 4164 tmp.exe 90 PID 4164 wrote to memory of 4112 4164 tmp.exe 90 PID 4164 wrote to memory of 4112 4164 tmp.exe 90 PID 4112 wrote to memory of 2000 4112 ._cache_tmp.exe 101 PID 4112 wrote to memory of 2000 4112 ._cache_tmp.exe 101 PID 4112 wrote to memory of 2000 4112 ._cache_tmp.exe 101 PID 4164 wrote to memory of 984 4164 tmp.exe 100 PID 4164 wrote to memory of 984 4164 tmp.exe 100 PID 4164 wrote to memory of 984 4164 tmp.exe 100 PID 4112 wrote to memory of 3280 4112 ._cache_tmp.exe 96 PID 4112 wrote to memory of 3280 4112 ._cache_tmp.exe 96 PID 4112 wrote to memory of 3280 4112 ._cache_tmp.exe 96 PID 984 wrote to memory of 4352 984 Synaptics.exe 93 PID 984 wrote to memory of 4352 984 Synaptics.exe 93 PID 984 wrote to memory of 4352 984 Synaptics.exe 93 PID 4352 wrote to memory of 828 4352 ._cache_Synaptics.exe 95 PID 4352 wrote to memory of 828 4352 ._cache_Synaptics.exe 95 PID 4352 wrote to memory of 828 4352 ._cache_Synaptics.exe 95 PID 4352 wrote to memory of 2996 4352 ._cache_Synaptics.exe 94 PID 4352 wrote to memory of 2996 4352 ._cache_Synaptics.exe 94 PID 4352 wrote to memory of 2996 4352 ._cache_Synaptics.exe 94 PID 3996 wrote to memory of 4912 3996 svchost.exe 104 PID 3996 wrote to memory of 4912 3996 svchost.exe 104 PID 3996 wrote to memory of 4912 3996 svchost.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exeC:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\look2.exeC:\Users\Admin\AppData\Local\Temp\\look2.exe3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2000
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exeC:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\look2.exeC:\Users\Admin\AppData\Local\Temp\\look2.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:828
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\svchcst.exeC:\Windows\system32\svchcst.exe "c:\windows\system32\240601500.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD51c69ce97a9cd22c9dafe3bcf2dd91649
SHA1d7f69624827996ab4195bb712b64596f2766f1b9
SHA2561f9c906b61dab4e21f7939084053ef1b3f1862405d8b6e0a2f7165994095f690
SHA51206a9495a69c0a05e7d741f686acb72cf6d15db9075a17b64f78e141a7e46c71b7d12710192ac543b3c943773e7727a5d04191a33ffc14142b4219cfad5e64305
-
Filesize
237KB
MD5b91ad1410638900ffa014b1e0c52be81
SHA1c6f82e224606188e88ec4a7d4bece0fe2a6a0419
SHA256e37477ed4eedfb3c01e4a7fd454342bc45382945afc68991be4a88229f08620f
SHA512da48d9aae9c881ecca14210dc0a347e2089e1c7dbf85d985bba2f6d6d91fe34bf9250b192ce81c5038f0d26e3507f4a7172fc1aedbb2c6d124aedad6dc44186f
-
Filesize
1.4MB
MD50bc9a91d06468ebaf0221fa4d689344a
SHA129aea8f607b0e5b74d6a01a0b316ef65f892c52a
SHA25664941461adfc0a3f2c4cda9d52c3ec4fa24d5c2d7a74e5a101d33517103ab74c
SHA51259038e153631aaa6d44cb08a79c7e1df7e7c4061fffefaf88b4ef7dc67417967ac46cf653c5b68e1fbe70e57266c1902598e3e000baff06c867b2fd20715df55
-
Filesize
1.4MB
MD551319467c85b5c80b87756cffddbbf8b
SHA14545cb2ce80def86895cf24f5a1fdb19111e97c1
SHA2565fdb4701555607d3b2f300fd2cd17c7dd942897e0dfe5b0db7032ae8b8df9a75
SHA512477621ef9ab07b23c3018287626df11e07173422d8684f5949319b4f025b513d6a0b30d1f4f945135f444418ea88fbb2bed902da768948e7b314ef7fcf4870cf
-
Filesize
337KB
MD52f3b6f16e33e28ad75f3fdaef2567807
SHA185e907340faf1edfc9210db85a04abd43d21b741
SHA25686492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4