Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 10:18
Static task
static1
Behavioral task
behavioral1
Sample
61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe
Resource
win7-20240215-en
General
-
Target
61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe
-
Size
1.3MB
-
MD5
7ed1269e64e1d1ad3a1ce5e02a313522
-
SHA1
2ee6d3eb5e25faa346c5cfddc97af7bde16a8075
-
SHA256
61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc
-
SHA512
8969f26a0edbddacedfa7f7ac4daf901650a78a27de157e2786c65e8ef260f0cab430ef4abe0e0d8de11040475a1af6eedccb6387bfec6a49f0915680f3f80cc
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNu:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1372-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3432-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3648-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1372-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3432-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3648-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Aqiyq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Aqiyq.exe -
Executes dropped EXE 2 IoCs
pid Process 3432 Aqiyq.exe 3648 Aqiyq.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aqiyq.exe 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe File opened for modification C:\Windows\SysWOW64\Aqiyq.exe 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Aqiyq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Aqiyq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Aqiyq.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2252 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3648 Aqiyq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1372 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe Token: SeLoadDriverPrivilege 3648 Aqiyq.exe Token: 33 3648 Aqiyq.exe Token: SeIncBasePriorityPrivilege 3648 Aqiyq.exe Token: 33 3648 Aqiyq.exe Token: SeIncBasePriorityPrivilege 3648 Aqiyq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1372 wrote to memory of 468 1372 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe 83 PID 1372 wrote to memory of 468 1372 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe 83 PID 1372 wrote to memory of 468 1372 61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe 83 PID 3432 wrote to memory of 3648 3432 Aqiyq.exe 84 PID 3432 wrote to memory of 3648 3432 Aqiyq.exe 84 PID 3432 wrote to memory of 3648 3432 Aqiyq.exe 84 PID 468 wrote to memory of 2252 468 cmd.exe 86 PID 468 wrote to memory of 2252 468 cmd.exe 86 PID 468 wrote to memory of 2252 468 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe"C:\Users\Admin\AppData\Local\Temp\61630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\61630C~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2252
-
-
-
C:\Windows\SysWOW64\Aqiyq.exeC:\Windows\SysWOW64\Aqiyq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Aqiyq.exeC:\Windows\SysWOW64\Aqiyq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD57ed1269e64e1d1ad3a1ce5e02a313522
SHA12ee6d3eb5e25faa346c5cfddc97af7bde16a8075
SHA25661630c4c53ea7fdaf818db5450f18cc43d0dbdcd99f5d79fd894291f7d3614dc
SHA5128969f26a0edbddacedfa7f7ac4daf901650a78a27de157e2786c65e8ef260f0cab430ef4abe0e0d8de11040475a1af6eedccb6387bfec6a49f0915680f3f80cc