Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

7ae098ad9f...00.exe

windows7-x64

10

7ae098ad9f...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 07:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ae098ad9f95ebedb2b11a5c201ce0e4cf0561349332375d398b79c262f07f00.exe

  • Size

    611KB

  • MD5

    6fa0005ec0a80e557577b4bb6a96247d

  • SHA1

    729280eb0028c31d2b8ce78d5ea8e7c9581bb5f8

  • SHA256

    7ae098ad9f95ebedb2b11a5c201ce0e4cf0561349332375d398b79c262f07f00

  • SHA512

    4efb517afa7c7fad178df972c95df8e37fa65dfb5611e61bdc10045a05fcc677e1cbd68a2563ca5504741d0a81dd20ebf95fe017d2396c402cb04f580876c016

  • SSDEEP

    12288:tFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQmm:tFmShDrngEUkDaiJfpSaoNRpMCe8CM8i

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ae098ad9f95ebedb2b11a5c201ce0e4cf0561349332375d398b79c262f07f00.exe
    "C:\Users\Admin\AppData\Local\Temp\7ae098ad9f95ebedb2b11a5c201ce0e4cf0561349332375d398b79c262f07f00.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\7AE098~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2616
  • C:\Windows\SysWOW64\Aqiyq.exe
    C:\Windows\SysWOW64\Aqiyq.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\Aqiyq.exe
      C:\Windows\SysWOW64\Aqiyq.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

  • flag-us
    DNS
    caonima.ydns.eu
    Aqiyq.exe
    Remote address:
    8.8.8.8:53
    Request
    caonima.ydns.eu
    IN A
    Response
    caonima.ydns.eu
    IN A
    45.125.32.99
  • 45.125.32.99:8089
    caonima.ydns.eu
    Aqiyq.exe
    1.1kB
     783 B
     18
    18
  • 8.8.8.8:53
    caonima.ydns.eu
    dns
    Aqiyq.exe
    61 B
     77 B
     1
    1

    DNS Request

    caonima.ydns.eu

    DNS Response

    45.125.32.99

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Aqiyq.exe
    Filesize

    611KB

    MD5

    6fa0005ec0a80e557577b4bb6a96247d

    SHA1

    729280eb0028c31d2b8ce78d5ea8e7c9581bb5f8

    SHA256

    7ae098ad9f95ebedb2b11a5c201ce0e4cf0561349332375d398b79c262f07f00

    SHA512

    4efb517afa7c7fad178df972c95df8e37fa65dfb5611e61bdc10045a05fcc677e1cbd68a2563ca5504741d0a81dd20ebf95fe017d2396c402cb04f580876c016

    Download Submit

  • memory/2648-0-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2648-1-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2648-19-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2736-28-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-20-0x0000000001180000-0x0000000001305000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-30-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.