Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    34s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 03:42

General

  • Target

    Ghost Stealer/Ghost.builder.pdb

  • Size

    113KB

  • MD5

    9923a8c48c0375680cd8f34fb9a6b8d0

  • SHA1

    d1e8cf4fbfa19bf86e3877a641e8e3f2582d95c6

  • SHA256

    58f1ca3f7165b0688db2cbf2ec91c0df5dacb43ee03fcd9ddd2a500d162e6899

  • SHA512

    ac0222ec40f5fc62007314ef5e387a0c60743305b50b43d34c56eaad8fbe9210847206067f7ea0f5eede0be6dd5a0729ce4477fa367557b10b5017c721222c04

  • SSDEEP

    1536:1QAYHXpGuF9AVm6XDAUpT+tq91M/ihARY+C3QA:uHBF9AdTAU8AhARY

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    aca3ff2c94991e80f95fd9641e084495

    SHA1

    99df2813e2d189752284861748f0c38c0b99906a

    SHA256

    1d539b84c24a25a850a324fba179109ce3afc2ec534a9412b06b925b581db9c9

    SHA512

    7533faa10f7c4d33f5d97d3e04f1a0b675a7200969831cd5687e2c5170f3d3d3decc5150b00f84a0c68bb70a0dd63b2e14488cb3de34e83c41c445ca0ca0be50