Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
19/01/2024, 08:00
General
-
Target
67192514274aac738a2b014e7c8a913c.exe
-
Size
260KB
-
MD5
67192514274aac738a2b014e7c8a913c
-
SHA1
d5ed248403057efff3e8d717d1cf0f650d655790
-
SHA256
5a1dd5d210d973e1bd4027e9a6fc16efe3dce6d8ed3dbd9c4a2463c0158687e0
-
SHA512
6f4d56afd1a2a99bd011700a6eac284b5ef20d24bbf66d3180bde5aec060f2bbc716c155469f83388229117535fd1abd24f2952f32886fa2f6af77e786d6dead
-
SSDEEP
6144:+wxvges2lBlZL02vIM/N5gAshXqBdYHEzodHVe4C7:lvges2lBlOA9/oAspqBqHEzo1Ve4C7
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 11 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 5 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67192514274aac738a2b014e7c8a913c.exe"C:\Users\Admin\AppData\Local\Temp\67192514274aac738a2b014e7c8a913c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\maolan.exe"C:\Program Files\Common Files\maolan.exe" "C:\Program Files\Common Files\maolan.dll" ServiceMain2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Documents and Settings\qiuqi1.exe"C:\Documents and Settings\qiuqi1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\DOCUME~1\qiuqi1.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\Users\Admin\AppData\Local\Temp\671925~1.EXE2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59a2ac34d780d37ec45731772e38519d8
SHA14ef188f311680329b0b31664c075f2016a3a52f7
SHA2564b1d12ee9cd10139f77453afb333a70d01938f00fce08db84dd26f748dd51e8e
SHA5125d6e7fa50401204fecca993f8fe8b21da1cf4b25fb98addf527b59fe5a40b5a3890ce6dc1332caf4146097d324feab4744ce8905fa1248b656071f83ee179377
-
Filesize
2.8MB
MD5e40dd28d954deb1e3f5559289d2b7552
SHA1ffa346d1470090e074c1690dc922bee705ec4dd1
SHA256f01219062c7921e14ab854ca2e3dd50acb9ea965dbc71f3960c0495ce2ec6765
SHA5128c77a752156ac7bc38cd07e592d7305492529b1ed1eaf325b0d60491433507061f8f60ba905378461e965a0904d668bf1cae44382f4f2b82ce0e57e39da821e4
-
Filesize
93KB
MD59d4e057fe19386b6d7226ab5ddff8952
SHA1ac21f063cdf80aa0e946c56245ba7555d09905ba
SHA2568042643e61faf6c4122fd74b6321369321d483403368eef28d9028458338a93f
SHA5122212197dcb9c8bb7f3f4a7c1dc3512d17adb730dbe220c74b506c290d857a45a1077d86416bcb490a65765c28c0d582b8438938c2838fc3780268035a11c7224
-
Filesize
420KB
MD5ba96e5df213870ee45cf54f33c01aa5f
SHA161cd0ac21aeda1bb9bbf4a261803ca6628e8fb3b
SHA2566c306a55e86846ef2f4dd4158245110068367a5514583660e975a0a531baa597
SHA512b9ef45807d4018062d2322d355622da6d3ebc91995990c34a643168d732e5a4777244c4511b57eb7a9e386bae725890a394ecdfa09cf1c3846871a3cb8a21b5c
-
Filesize
477KB
MD5dcb137e4fc3b18cf502363a65ed8dd00
SHA11f8df60f720d051de769db1b1be908ac48b97f00
SHA2567ef0da20be326ddacea33ba83323a1fc819edacec2380e70414a6461eb0a58a2
SHA51250da63069770774766630823bbe15d33582602b45a97eb3536716a75246c00a98f82792de81364bc13a3b4ff369f020e30234a5f98bf142420368f348cdbec32
-
Filesize
402KB
MD5fdd89bac28a1f121dc637c88d80ea9a6
SHA1d5096897d526de5cb497d8d886d89ab1a3380105
SHA2568cf4ec5e2fab51233bc014c0af64a6d5716f4117b0a77b41c7c549b829d4f2a4
SHA51270996670196999f537fc626ef1c312ed4fd2ee9d09c89b510488da13b86980a8cb01aff4804a977481e6a4446f9f37b7424e070687f896003576f463e93dfa69
-
Filesize
460KB
MD576eac3ab4a65c41dd1021d8f57edd311
SHA1b4b630349f4b934d96b74b1207e591060d9592f9
SHA25678ffec6c36d4d549a6d62a43e2839688323be3e2baa6a777409e4ac63c615a9e
SHA51227e2d77797e27a204b760ac405f692bc6fb8dba618b166596a925ae24ddb168a580ffac27d1b39f77e98603841b5c41c16d92a18bf406fa578406c2b05a776a9
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
130KB
MD546d7f5f26d51e21cb7a052ec46fca0db
SHA1792476144b73bfa90b7c839da3ba11e3bac7484f
SHA256abaedba7d8065830f6c54ac92085887ab73df325815daf628251e58e99cd6a98
SHA5124911af647fc259059c3017e17174feaae341806036e778ba5b500b820ea19febaaa12c3645a2a0ffb74f11f3f3ae293254b7082b9c069bdcc5f25d662130c8b7
-
Filesize
115KB
MD5855d7a658a8821b43736f2585a102568
SHA1cffbda8174ee8dc485879c3dfacff4a9a86907ee
SHA2562c9c959220487e0e5b5ae41c95c1ea4e8b5dd49cfb84752357e7c1d9cc7044d5
SHA512c0aec3b6f591e08053e1cf6cab18d9bda88d1f53f3f4b276395987517a9c438554d059b90d3ad3c2c9d6a04f52e1481dd45ed87d6a9abe3a12ea12aa88e133c5
-
Filesize
53KB
MD503e08fcd46fbd803e4b3affef79530c1
SHA198fe9da42ffa3427bab3a25ddc10a29c7dd44618
SHA256f219e25735ceae8fced789b1042be25a9e08c23a48f40b22184fea5c1147b86f
SHA512ab2f13512b0fa17b05ef407f1603b3dc0d0a521c6f5034ae1b49095423b2b2ad7437f0b4cbea9059ae68ef1e692ffff7f7843155e64aa300ec3acbad372a0760
-
Filesize
117KB
MD52f5f1305ad58c80179a502f676abe349
SHA1a438b5ed970102518526d48ef1bf79f9bbc4ffa3
SHA25624b1da484824a924643532b953fa690e55cf53647b428941c4e755159ed05a19
SHA51298fe24c9f81172e9eb80d583634844da95879105ac3c77b5fa27190d03016483cadcc9f4959a1e2119c226192cbc9ea3a83718a9131dabbaf324989c6fee67e9
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
248KB
-
Filesize
484KB
-
Filesize
248KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
52KB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
484KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
156KB