Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7d3f78751c...fb.exe

windows7-x64

10

7d3f78751c...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d3f78751cfd6487239388b034cb95fb.exe

  • Size

    159KB

  • MD5

    7d3f78751cfd6487239388b034cb95fb

  • SHA1

    225d03be82b3a8e1a2793e172ba3b7bfd2c08c69

  • SHA256

    6f79d3fe6f776ade4e6c4d71b4abe345e2b45a2efc4c6d1a1ca508aa0f990f50

  • SHA512

    50de88ecd80e1e0a1f58924f5afda666cfea028d6d16a0c8cd89339976a30c36b716a5eb3e5171237ebb5a0f4292ceb3b80d5453b707793ae684c054623a321e

  • SSDEEP

    3072:Wej6psFmhQ7cVoQ3TQdwW3iZ8sNqkgq6Whudv:WYcV453GzskgbIK

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d3f78751cfd6487239388b034cb95fb.exe
    "C:\Users\Admin\AppData\Local\Temp\7d3f78751cfd6487239388b034cb95fb.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:524
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Prefetch2200000.dll
    Filesize

    148KB

    MD5

    9f1d33774b068c47ecbde821efcac555

    SHA1

    65df4b9718e9b958bbc497a691a327c745b8d7e2

    SHA256

    f74a0be343166ab7fd372019caf295a9e86a081449dc570e2f35a7237ed79407

    SHA512

    d879e34ef9e119c0e8c5d083f97ad227c7dd89825b3f399aaa92006b1921c08af90b4ee34107f7cb30c7f598d2753aa7c78318ec7a5fa4209c34036d372e28f2

    Download Submit

  • \??\c:\Program Files\NT_Path.gif
    Filesize

    101B

    MD5

    dbafd2b4b3e3e1bba62428b5f0213093

    SHA1

    d34e43b55b503669329419762d8ac7911882370b

    SHA256

    27340d7b0e2f919027d973509aecf81759e441f143da73f2fe483a5d22bbcad3

    SHA512

    1bf6cfa7e31ee218e3c4968e0a5cfa2857e2ba43934ae5f7f8e1a4f4dbfdeb42103921f86edab6fcc74d1c4256f41ed1be1b432f832d5012b73200faa7057369

    Download Submit

  • \??\c:\program files (x86)\fbcd\kbcdefghi.gif
    Filesize

    178KB

    MD5

    512ac2f7add988499fb0e4ca881f232a

    SHA1

    5eca1d4e66bb5d69b18b80c531088d4376067848

    SHA256

    b1049f0a78ab49649b0a0b3bf3c1873dbbf841d39c4fe95e663b2a5b8a8e1b2c

    SHA512

    a8775cb885f8eb6ec22348f2f00bfb234ed79235b9904b708f8b60c21deab55bf770035ff89f5b8bdb9cc373b682bf656e5351aa512a05144d78f323398ae682

    Download Submit

  • memory/3624-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3624-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download