Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
c4dc4ca3ce70af3d013b2eab204d7447.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c4dc4ca3ce70af3d013b2eab204d7447.exe
Resource
win10v2004-20231215-en
General
-
Target
c4dc4ca3ce70af3d013b2eab204d7447.exe
-
Size
110KB
-
MD5
c4dc4ca3ce70af3d013b2eab204d7447
-
SHA1
3328a485655773fb696a89e81be6fcb25e9a6eb7
-
SHA256
85e693531ab05707ad50ddcd7b4d1f39f70076363455715fc496b7fd55097a80
-
SHA512
6c33f854a6fe0b3c88ea06fac091a58107042bc8a269a9549de1150c5b5a9ece6615870cf3ec2bde189535b28afaa82e6a7178814a3349d0f215030de62fbef0
-
SSDEEP
3072:JHyojxtwyOsBKnTCXgzGjhk2LfAHC4612mBF1ivmn:JHyoIuu+XgI+W14612m8w
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/2856-2-0x0000000000400000-0x0000000000446000-memory.dmp family_gh0strat behavioral1/memory/2856-6-0x0000000000400000-0x0000000000446000-memory.dmp family_gh0strat behavioral1/files/0x000b000000015d0f-5.dat family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilitysc.dll" c4dc4ca3ce70af3d013b2eab204d7447.exe -
Deletes itself 1 IoCs
pid Process 2280 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2280 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\update08932.log svchost.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilitysc.dll c4dc4ca3ce70af3d013b2eab204d7447.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\~utd.log c4dc4ca3ce70af3d013b2eab204d7447.exe File opened for modification C:\Program Files (x86)\Common Files\System\~utd.log c4dc4ca3ce70af3d013b2eab204d7447.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2280 svchost.exe 2280 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4dc4ca3ce70af3d013b2eab204d7447.exe"C:\Users\Admin\AppData\Local\Temp\c4dc4ca3ce70af3d013b2eab204d7447.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2856
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5e4af60f38adfd41937804a89fdaaa45b
SHA11b496625e6a39353e41070971fabeade16b3361d
SHA256b75134f93c2a2de173d387f9a52e88ab0170121b54fbaf41bd036b73f438d525
SHA51204812961e7c82ac225220458dbe8f24f19065d52979e043f330a283893fda600a7d4a82088040bfff5d2406195b4468e9c043fa3a76c78c434be350d0fd54081