Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1433.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04/12/2024, 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1433.exe

  • Size

    353KB

  • MD5

    63573bb58c5b28cc5671cf7b121671c7

  • SHA1

    79ca6878a2fae339bd8abbc0f3b42a2516d74779

  • SHA256

    cc5a84f68a4bc2303461ba75506ce239a3128f7a3b3068e663c16d2fb6336edb

  • SHA512

    fa9864f8e5d8e104d5f9e6c0ffdb820dd9e7ef365fa856d9903e735d9c36105530baf24fbb1e3e2025e10d2eff54d7cba7f4ef8f42af00ffbdb62cb9f76eea8f

  • SSDEEP

    6144:qmBZ5WcNancq4m8Jm50HkbIn9tskARz/pkkYLZxYYWz3mvxo:LBZ5WcYnBH8Jm5Fg9tskAt/pkbrYYWzD

Score
10/10
gh0stratredosdrudiscoverydownloaderloaderpersistenceratupx

Malware Config

Extracted

Family

redosdru

C2

http://38.60.95.6/NetSyst96.dll

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Redosdru

    Redosdru is a loader/downloader written in C++.

    loaderdownloaderredosdru
  • Redosdru family
    redosdru
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1433.exe
    "C:\Users\Admin\AppData\Local\Temp\1433.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files (x86)\Microsoft Bfqtjt\Lpbduuz.exe
      "C:\Program Files (x86)\Microsoft Bfqtjt\Lpbduuz.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Bfqtjt\Lpbduuz.exe
    Filesize

    353KB

    MD5

    63573bb58c5b28cc5671cf7b121671c7

    SHA1

    79ca6878a2fae339bd8abbc0f3b42a2516d74779

    SHA256

    cc5a84f68a4bc2303461ba75506ce239a3128f7a3b3068e663c16d2fb6336edb

    SHA512

    fa9864f8e5d8e104d5f9e6c0ffdb820dd9e7ef365fa856d9903e735d9c36105530baf24fbb1e3e2025e10d2eff54d7cba7f4ef8f42af00ffbdb62cb9f76eea8f

    Download Submit

  • C:\Program Files\AppPatch\NetSyst96.dll
    Filesize

    239KB

    MD5

    8c19d83ff359a1b77cb06939c2e5f0cb

    SHA1

    a01a199e6f6f3e84cef5c7e6251a2b1291217885

    SHA256

    7baee22c9834bef64f0c1b7f5988d9717855942d87c82f019606d07589bc51a9

    SHA512

    b241c7b0f6372483faf4630e82d7f609e8450bac17cedaeb8fc7db8157ec5363e153f5cab5188eee6d8b27b366656877d4421122c8e26a0a739b6c5308bde381

    Download Submit

  • memory/1380-4-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1380-7-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1380-8-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1380-9-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4908-16-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4908-18-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4908-17-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4908-15-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4908-13-0x0000000010000000-0x000000001034B000-memory.dmp

    Filesize

    3.3MB

    Download