Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
setups.exe
Resource
win7-20240903-en
General
-
Target
setups.exe
-
Size
22.6MB
-
MD5
d6437b34d2f4ebc283dba35fa11fec25
-
SHA1
cf4ede6cff02f7d43362e1a7c87657fa6099842d
-
SHA256
1a849f51b091f22e8949ca92f5e99482bd3d9202c76fa27afd209f0e21b46bcc
-
SHA512
02524b129c33b1e2c378fc46d9f1bf98f5422c1b4bac6fae9bbce46cba9a762970dc93a643c41aaefcafe43734fdba3ba8e78227dd559b3c3f135085f31e4cff
-
SSDEEP
6144:lUrJnWqbUNZFXXp1pvpGFd7XDda328nnnnnnR:qlWqYvMFJUma
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x000b000000023b36-7.dat family_gh0strat behavioral2/memory/4092-11-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4020-16-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/2300-21-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 4400 gdskuwsbxe -
Executes dropped EXE 1 IoCs
pid Process 4400 gdskuwsbxe -
Loads dropped DLL 3 IoCs
pid Process 4092 svchost.exe 4020 svchost.exe 2300 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\eogpwbbshl svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\exddhuvxhv svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\egrwpxyutq svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\WinRAR\Formats\Date\I%SESSIONNAME%\svnwi.cc3 gdskuwsbxe -
Program crash 3 IoCs
pid pid_target Process procid_target 3016 4092 WerFault.exe 87 436 4020 WerFault.exe 96 4664 2300 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setups.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gdskuwsbxe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4400 gdskuwsbxe 4400 gdskuwsbxe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 4400 gdskuwsbxe Token: SeBackupPrivilege 4400 gdskuwsbxe Token: SeBackupPrivilege 4400 gdskuwsbxe Token: SeRestorePrivilege 4400 gdskuwsbxe Token: SeBackupPrivilege 4092 svchost.exe Token: SeRestorePrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeSecurityPrivilege 4092 svchost.exe Token: SeSecurityPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeSecurityPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeSecurityPrivilege 4092 svchost.exe Token: SeBackupPrivilege 4092 svchost.exe Token: SeRestorePrivilege 4092 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeRestorePrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeSecurityPrivilege 4020 svchost.exe Token: SeSecurityPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeSecurityPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeSecurityPrivilege 4020 svchost.exe Token: SeBackupPrivilege 4020 svchost.exe Token: SeRestorePrivilege 4020 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeRestorePrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeSecurityPrivilege 2300 svchost.exe Token: SeSecurityPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeSecurityPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeSecurityPrivilege 2300 svchost.exe Token: SeBackupPrivilege 2300 svchost.exe Token: SeRestorePrivilege 2300 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 64 wrote to memory of 4400 64 setups.exe 83 PID 64 wrote to memory of 4400 64 setups.exe 83 PID 64 wrote to memory of 4400 64 setups.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\setups.exe"C:\Users\Admin\AppData\Local\Temp\setups.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\users\admin\appdata\local\gdskuwsbxe"C:\Users\Admin\AppData\Local\Temp\setups.exe" a -sc:\users\admin\appdata\local\temp\setups.exe2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 8842⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4092 -ip 40921⤵PID:3560
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 8602⤵
- Program crash
PID:436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4020 -ip 40201⤵PID:1144
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 9442⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2300 -ip 23001⤵PID:4292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.8MB
MD5868b624c4d089da7de68a6d94e7a6056
SHA1549e9bfa82e61a102f23c637dd98648e6be4e787
SHA256f8edfbe970ed6cd29262ec26d4b5f04c4d21b89183acec87b3fa0607cfecb758
SHA512f433986a1fa9ea0751958786a5e2f7c496045b67de74f79e5a9971694547dc721cb6431cfc9073d2a497149da1c795d1a9414a3c30624e593de19728e76a64c2
-
Filesize
204B
MD5252ac9dc4e5f9b47b7252802e4f92999
SHA145261f8bf80ad4daecde128df14811653c07f65d
SHA256dc3fa1f935f90a3e117a1eca1d5d84e1a240a9f14f1b94fb159c690d65423eeb
SHA512caccdcb3e29f468190ce6137d290df827cb5dec40c1ea9ff1a9f7ce8eccf08fe537f677dac2b48ee8a2fd6f310f73a7eb2023c947e20ef18a2a70b3ebf6936e2
-
Filesize
306B
MD58a5c8cc02d4516a4965ced59b871e75c
SHA1f1378d36dc532ba0793b03743c64427428a7747f
SHA256d9ae756f59295049afdaa152ba6f3f022a11fdb14e89bd0384dcee4093eceb12
SHA5128099d2f0f590e6f401f2af5f5b4180592a9d03ad52ea124d67c36f3d360141da83546949275c9d282fb55ef5e2468d1a387f7c5dfe04f0cc26f1e7f81109e009
-
Filesize
23.1MB
MD55a00a1c116169c14dc031515e8f1d642
SHA1276c69464fd646b973db25929aa5ba29af71897c
SHA2560ef4d7f6a361418e517d9128b3410a01ecf8879aed4f3ad9778ec14fe44d2dc4
SHA5127254f0bf5844b9c1b9ac637bc27999dd26ef83125ee12f457e9cfd612348e98c0f294bb1b009d546164ffaf49353d94b158a6c5e53ea711aad068598dc5a5966