Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 12:48
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20241010-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b85-2.dat family_gh0strat behavioral2/files/0x000b000000023c84-11.dat family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 4120 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 3944 0.exe 4120 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\FileName.jpg 0.exe File opened for modification C:\Windows\FileName.jpg 0.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe 4120 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3944 0.exe Token: SeRestorePrivilege 3944 0.exe Token: SeBackupPrivilege 3944 0.exe Token: SeRestorePrivilege 3944 0.exe Token: SeBackupPrivilege 3944 0.exe Token: SeRestorePrivilege 3944 0.exe Token: SeBackupPrivilege 3944 0.exe Token: SeRestorePrivilege 3944 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
Filesize
54B
MD507277521a046f9c6cac3231f4ad8f2bf
SHA12ca41a99b4c86d6868c8fbdfe5352f6a8cf8f654
SHA256bbb0a39264a7b00e4036d4d12512242ba76cff3d16f13f2f89309175b556000f
SHA5122382a52cdf44d6da5cda53cdf8d79f658565896621f4d198465e0e9ad62d839bb81742f36e60e889d34b4e44b26eeb7fa2b49d61ee06d23a4f3feced1d3abd62
-
Filesize
10.7MB
MD5367fa50b6ed9a31e932c535bb11f7e44
SHA16cad16d17f825bc06986b6a4a4a8653a93619081
SHA25689e9820f4d84927d4f991de9d878190dfc797a71587d2600060d64da37761de2
SHA512ab80860db42dd36ced4a6cb1ff8f3da8de927e0d686ff906c5e0227e8e30d6aab57eb7bf9bff4dc30c2cd9e2a59a291dcc6f16152a47caab9ad74b3243144f60