Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 14:19

General

  • Target

    04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe

  • Size

    684KB

  • MD5

    1bd41a4925226862a9dd18abce9515d5

  • SHA1

    cdcbdb66ca67c511774c4ffa06d7e954e2b25136

  • SHA256

    04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623

  • SHA512

    39349596911102ad081ab91230ed0af2d69ccb9887a47bdd9c869cc13858aae8c7d523b7ef4cd7988cbd4dafd2edc576a4ebc9b4416ff57a0e6849d847a0395d

  • SSDEEP

    3072:ScK/yLrQbWaR5Qax8c/YtZGx0gLY9eHVU2NYYKtjTtnbaUllllllllllllllpsx9:SXyLEbWaR5CcSAYYm2+tbLy

Score
10/10

Malware Config

Extracted

Family

gh0strat

C2

117.18.15.248

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe
    "C:\Users\Admin\AppData\Local\Temp\04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    PID:2008
  • C:\Program Files (x86)\Wjzgrse.pif
    "C:\Program Files (x86)\Wjzgrse.pif"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Program Files (x86)\Wjzgrse.pif
      "C:\Program Files (x86)\Wjzgrse.pif" Win7
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Wjzgrse.pif

    Filesize

    684KB

    MD5

    1bd41a4925226862a9dd18abce9515d5

    SHA1

    cdcbdb66ca67c511774c4ffa06d7e954e2b25136

    SHA256

    04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623

    SHA512

    39349596911102ad081ab91230ed0af2d69ccb9887a47bdd9c869cc13858aae8c7d523b7ef4cd7988cbd4dafd2edc576a4ebc9b4416ff57a0e6849d847a0395d

  • memory/2008-0-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

  • memory/2008-15-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB