Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe
Resource
win10v2004-20240226-en
General
-
Target
04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe
-
Size
684KB
-
MD5
1bd41a4925226862a9dd18abce9515d5
-
SHA1
cdcbdb66ca67c511774c4ffa06d7e954e2b25136
-
SHA256
04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623
-
SHA512
39349596911102ad081ab91230ed0af2d69ccb9887a47bdd9c869cc13858aae8c7d523b7ef4cd7988cbd4dafd2edc576a4ebc9b4416ff57a0e6849d847a0395d
-
SSDEEP
3072:ScK/yLrQbWaR5Qax8c/YtZGx0gLY9eHVU2NYYKtjTtnbaUllllllllllllllpsx9:SXyLEbWaR5CcSAYYm2+tbLy
Malware Config
Extracted
gh0strat
117.18.15.248
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2008-0-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral1/memory/2008-15-0x0000000000400000-0x00000000004AD000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2184 Wjzgrse.pif 3012 Wjzgrse.pif -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Wjzgrse.pif 04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe File opened for modification C:\Program Files (x86)\Wjzgrse.pif 04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2008 04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe 2008 04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe 2184 Wjzgrse.pif 2184 Wjzgrse.pif 3012 Wjzgrse.pif 3012 Wjzgrse.pif -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2008 04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3012 2184 Wjzgrse.pif 29 PID 2184 wrote to memory of 3012 2184 Wjzgrse.pif 29 PID 2184 wrote to memory of 3012 2184 Wjzgrse.pif 29 PID 2184 wrote to memory of 3012 2184 Wjzgrse.pif 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe"C:\Users\Admin\AppData\Local\Temp\04873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2008
-
C:\Program Files (x86)\Wjzgrse.pif"C:\Program Files (x86)\Wjzgrse.pif"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Program Files (x86)\Wjzgrse.pif"C:\Program Files (x86)\Wjzgrse.pif" Win72⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
684KB
MD51bd41a4925226862a9dd18abce9515d5
SHA1cdcbdb66ca67c511774c4ffa06d7e954e2b25136
SHA25604873d414d4cd4d41ae4d3dff098a2b4260be73d92a7efb139d1677b0cb6e623
SHA51239349596911102ad081ab91230ed0af2d69ccb9887a47bdd9c869cc13858aae8c7d523b7ef4cd7988cbd4dafd2edc576a4ebc9b4416ff57a0e6849d847a0395d