Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

VirusShare...f4.exe

windows7-x64

10

VirusShare...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe

  • Size

    221KB

  • MD5

    18b08223d3b50c2468ec07af1a87a5f4

  • SHA1

    02db9740c82b8c401fe6d465da6cbf732a1ad5ec

  • SHA256

    37fe629b678a189a737a47ee98b711b5e5a2bf1f44b256afa5d7dba8665df269

  • SHA512

    738320173f06a5d02eb72332c143f019b311f71b45f272b2bc0abccdcfc7e35ab59d37a6a934790ff717a5d55b9e59f9d3b142a48c85d1c92053f860cd995de5

  • SSDEEP

    3072:7QIURTXJ4bzsVBpw6xzGR27Hgqf+eaqLeHgqrviZ27ZlcuLCmKa76sXApYwGC95v:7sUizFxG0zrf+ev6Aq7iszKaGOwfR

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Blocklisted process makes network request 4 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Users\Admin\AppData\Local\Temp\Thunder.exe
      "C:\Users\Admin\AppData\Local\Temp\Thunder.exe"
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4616
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k BUUR27EH
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\runnjy.pic,main BUUR27EH
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 468
      2⤵
      • Program crash
      PID:1136
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1000 -ip 1000
    1⤵
      PID:536
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k BUUR27EH
      1⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 440
        2⤵
        • Program crash
        PID:5020
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe c:\windows\system32\runnjy.pic,main BUUR27EH
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2376 -ip 2376
      1⤵
        PID:3300

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Thunder.exe
        Filesize

        484KB

        MD5

        9239f6869999f9f3bedebc05baf005e0

        SHA1

        8ec48e68ee90a85c977b0071751ae3f9f9540194

        SHA256

        50cf3aec53af25d40650f18b27b9f0b5d0ee728c255bfcb0b2470b1f6b1188c8

        SHA512

        c584e2baa0b01c04983ce28b9376c5698a55239f9418ff6b4b539e7eed784055d4b8671404235ccce1013c0d9696b963c0c521c679a32ef25217254f89ceeef8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Thunder.exe
        Filesize

        892KB

        MD5

        0ad1a0871d4fba59a2bfee03647fd8c1

        SHA1

        5dd89d5c4ecbe3b9104c9af56b60d9f073cc6b3d

        SHA256

        d558d29fe810d93363bc83b4ede387356fe486e7d5ad19ce6a34ee2cdc6211aa

        SHA512

        b3f99e45552babe148cf946b72f1fad3d0a085a33c98146429d0a60a4429703e2d3a6ca1421ce13edd88fc226d59df785fc4f138bbad778fc92479f81c655a91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Thunder.exe
        Filesize

        463KB

        MD5

        ee0bb35bf3dd4b3030841e8ab4ef21a3

        SHA1

        1037fb273a2f77727ac249ebf7f19d3cbbc06bac

        SHA256

        422bae5335ed3409424444fff3fdb2e7824d7010855cabb108067a06e61ad07b

        SHA512

        ba92307b0e9a21051ace940cb521d48e1075692cd83f833b4789082e63abc28b42b11349e48369c3d9fe1f92ce3258173ec49d72313d88081179589fbbe86436

        Download Submit

      • C:\Windows\SysWOW64\RUNnjY.pic
        Filesize

        438KB

        MD5

        3147523788aef88548c6b51a03dfd340

        SHA1

        00de2b89fdd77bd8e2ec9a4eb968bded6c98c091

        SHA256

        edd787ba0de9850348d06ee67c0741c9a6c603e42aa68811e6f32a50a5e730e5

        SHA512

        80920330bbe7bf20a7db3f56eb84f678a49a6797a154323699b0094fe5733001858750a49e5db37c56e812e0f59fb61a789c579faecc2ea3ea9589355593e6aa

        Download Submit

      • C:\Windows\SysWOW64\RUNnjY.pic
        Filesize

        343KB

        MD5

        e1cbc6b79feb445a7a9b013ff69dde5c

        SHA1

        7a91bffddddee801e8093efccd9e5ca7419fbc9b

        SHA256

        a3d9a1be59622fe94aea1e2a60cc4e3d4fc207e34cd2050d907be52823503660

        SHA512

        41c2cc166017347e65d19905300b3de6ce570bb7d56ac195b867332a4540308ef8946d06647fae27d113be5932037d69ad3dd5c7d99ba57a1e409284f7a8c2fe

        Download Submit

      • C:\Windows\SysWOW64\RUNnjY.pic
        Filesize

        200KB

        MD5

        b12b664278c423de58f43543406c9da4

        SHA1

        58da2c356b67cb7a280c5e3864005a3049f11b0e

        SHA256

        ad241aa096938ee0ce3ea9682b285de3d5cd9a28148b4fff1d1ca666c15d87bb

        SHA512

        2b695cd6c8f3f99f822446e2983402cb78b9bf89149eab1e382f7e639355aae97c83a1abe0313c62b81be2caa6222847a40e8881c199d81277653627761cf802

        Download Submit

      • C:\Windows\SysWOW64\RUNnjY.pic
        Filesize

        1.5MB

        MD5

        1b5c6390287dda485fc828c7962101b4

        SHA1

        fc4f751e9733d8025c7344cc30850b58a105950a

        SHA256

        a4cf7d4a6da7d4006c70669bc76790a5cc5467d70e1c4813274716a560702259

        SHA512

        f2e3fb173520465e6ac816ddb4887ef8c5ce56735c608a68ac119ddc21514873036b656e8f88d3d5cbbe5b327c1387e7d2fb51744e57b03fb39d4162093b29da

        Download Submit

      • C:\Windows\SysWOW64\RUNnjY.pic
        Filesize

        1.6MB

        MD5

        632bf59792dd1c3229d31351834d86a9

        SHA1

        c4e62b73f6a2f5aa6f2760afc4fefab3f3e3df3a

        SHA256

        a2ea93f44d62ec4d1f16c630c5827495d7b8b150dacc3c340edbd4881d4f0907

        SHA512

        4338d607b0c4b8370b7d1621e9af27a8742e1b05885a5d2bde4538066336dbb14fadc5a792064547584c4e354bd163f6b8d564f305f4c4708bafb84bdd36e8ce

        Download Submit

      • \??\c:\windows\SysWOW64\runnjy.pic
        Filesize

        400KB

        MD5

        a2eff7ba7a14ee9629ea7536a66e44e8

        SHA1

        9ad73550bf5a84c4c1c32ed6e3933f43c099a7ef

        SHA256

        2e80d2a965550bf41217dd3609f10810217b4b6b40af129352cf0b86bc3833cb

        SHA512

        bac63e4b7915a923d2419dd40eac759efb37fcd873873720436e6ce29aadd770aaae155540b10fcb831f5040e32675042a84c871fc36c250d227d038c6ee6000

        Download Submit