Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 16:29
Behavioral task
behavioral1
Sample
eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe
Resource
win10v2004-20240508-en
General
-
Target
eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe
-
Size
114KB
-
MD5
c4a0cde1025bad5dc53dd73ec2b5ad4f
-
SHA1
2860366d72aecc844f19382ef5abdc2a8a928b73
-
SHA256
eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484
-
SHA512
38e20cc7471d8fa4c0eeeadc1eac9bddfdc3b9689c4626dd07cf4b3c6366eeda0e66e025f19c23eddfe5d31205b94592c5e583cd7fd13ac3a63032d6dc62f2d9
-
SSDEEP
3072:WyIpG2/iDbYVvgXdSeh17hBkPMmUZHO+B:XIposGo+OM/Zu
Malware Config
Extracted
gh0strat
110.40.43.81
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1308-1-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral1/memory/2608-15-0x00000000004B0000-0x0000000000514000-memory.dmp family_gh0strat behavioral1/memory/2608-17-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat behavioral1/memory/2568-22-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat behavioral1/memory/1308-23-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2608 Terms.exe 2568 Terms.exe -
Loads dropped DLL 1 IoCs
pid Process 2608 Terms.exe -
resource yara_rule behavioral1/memory/1308-0-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/files/0x000b000000014b6d-7.dat upx behavioral1/memory/2608-8-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2608-17-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2568-22-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1308-23-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\O: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\V: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\Y: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\P: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\S: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\U: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\Z: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\B: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\G: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\H: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\L: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\T: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\I: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\K: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\N: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\R: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\X: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\E: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\M: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\Q: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened (read-only) \??\W: eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Terms.exe eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe File opened for modification C:\Program Files (x86)\Terms.exe eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1308 eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2568 2608 Terms.exe 29 PID 2608 wrote to memory of 2568 2608 Terms.exe 29 PID 2608 wrote to memory of 2568 2608 Terms.exe 29 PID 2608 wrote to memory of 2568 2608 Terms.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe"C:\Users\Admin\AppData\Local\Temp\eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
C:\Program Files (x86)\Terms.exe"C:\Program Files (x86)\Terms.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files (x86)\Terms.exe"C:\Program Files (x86)\Terms.exe" Win72⤵
- Executes dropped EXE
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5c4a0cde1025bad5dc53dd73ec2b5ad4f
SHA12860366d72aecc844f19382ef5abdc2a8a928b73
SHA256eb118b4dfc58c978232dbb9f0aa9b8854f005460c1c3f0453edcec01e13ab484
SHA51238e20cc7471d8fa4c0eeeadc1eac9bddfdc3b9689c4626dd07cf4b3c6366eeda0e66e025f19c23eddfe5d31205b94592c5e583cd7fd13ac3a63032d6dc62f2d9