Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 07:10
Behavioral task
behavioral1
Sample
7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe
Resource
win10v2004-20240802-en
General
-
Target
7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe
-
Size
133KB
-
MD5
2bc61d0570033a0058c8b491dc636b15
-
SHA1
33b2fe2b01f7de3919e18a745e25267257b74f3a
-
SHA256
7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9
-
SHA512
91f1d9f8df7806a8581997d6f1aa80fc2302c7c3525918f4acfa9e1318b4c10419894f529c596f1f0f796d3f5b2b6be301d25950e0c5d6b50f34f7231cca0652
-
SSDEEP
3072:kyIpG2/iDbY588txzTCyPCWfzmrOzabq5iul6u6iGkFuMR8iV:pIpos5zxPCWfaazsq5T6u+2ui8iV
Malware Config
Extracted
gh0strat
159.75.71.140
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2388-15-0x0000000000400000-0x000000000046D000-memory.dmp family_gh0strat behavioral1/memory/2992-1-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral1/memory/1832-19-0x0000000000400000-0x000000000046D000-memory.dmp family_gh0strat behavioral1/memory/2992-20-0x0000000000400000-0x000000000046D000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2388 Iumuwyo.exe 1832 Iumuwyo.exe -
resource yara_rule behavioral1/memory/2388-15-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/1832-13-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/files/0x00090000000120f8-12.dat upx behavioral1/memory/2992-0-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/1832-19-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2992-20-0x0000000000400000-0x000000000046D000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Iumuwyo.exe 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe File opened for modification C:\Program Files (x86)\Iumuwyo.exe 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iumuwyo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iumuwyo.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2992 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe 2992 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe 2992 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe 2388 Iumuwyo.exe 2388 Iumuwyo.exe 2388 Iumuwyo.exe 1832 Iumuwyo.exe 1832 Iumuwyo.exe 1832 Iumuwyo.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2992 7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1832 2388 Iumuwyo.exe 32 PID 2388 wrote to memory of 1832 2388 Iumuwyo.exe 32 PID 2388 wrote to memory of 1832 2388 Iumuwyo.exe 32 PID 2388 wrote to memory of 1832 2388 Iumuwyo.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe"C:\Users\Admin\AppData\Local\Temp\7516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2992
-
C:\Program Files (x86)\Iumuwyo.exe"C:\Program Files (x86)\Iumuwyo.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Iumuwyo.exe"C:\Program Files (x86)\Iumuwyo.exe" Win72⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD52bc61d0570033a0058c8b491dc636b15
SHA133b2fe2b01f7de3919e18a745e25267257b74f3a
SHA2567516526ef9d70b47cdac5a7d595ca7f98893ee311252ce579f080c7386b821a9
SHA51291f1d9f8df7806a8581997d6f1aa80fc2302c7c3525918f4acfa9e1318b4c10419894f529c596f1f0f796d3f5b2b6be301d25950e0c5d6b50f34f7231cca0652