Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

65fe8e2dc0...c3.exe

windows7-x64

10

65fe8e2dc0...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 05:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65fe8e2dc05c8ae90caf91809c77bbc3.exe

  • Size

    1.5MB

  • MD5

    65fe8e2dc05c8ae90caf91809c77bbc3

  • SHA1

    317c19da97aa28e7459d4dce179730fa1b272d1a

  • SHA256

    9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b

  • SHA512

    893efe2b0148d28e2919d806976df452f22914223408f68c5c33917392ddaefba5f167dff19a2057062bf640ba00c4aaeb3e295e7c49a708808e769ae811a071

  • SSDEEP

    24576:eYVLN+uGOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:BTT3HPkVOBTK

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65fe8e2dc05c8ae90caf91809c77bbc3.exe
    "C:\Users\Admin\AppData\Local\Temp\65fe8e2dc05c8ae90caf91809c77bbc3.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\65FE8E~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2740
  • C:\Windows\SysWOW64\Jbrja.exe
    C:\Windows\SysWOW64\Jbrja.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\Jbrja.exe
      C:\Windows\SysWOW64\Jbrja.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2528

Network

    No results found
  • 23.224.239.66:111
    Jbrja.exe
    997 B
     548 B
     16
    12
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Jbrja.exe
    Filesize

    1.5MB

    MD5

    65fe8e2dc05c8ae90caf91809c77bbc3

    SHA1

    317c19da97aa28e7459d4dce179730fa1b272d1a

    SHA256

    9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b

    SHA512

    893efe2b0148d28e2919d806976df452f22914223408f68c5c33917392ddaefba5f167dff19a2057062bf640ba00c4aaeb3e295e7c49a708808e769ae811a071

    Download Submit

  • memory/1680-0-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.