Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 12:48

General

  • Target

    0.exe

  • Size

    71KB

  • MD5

    2a9d0d06d292a4cbbe4a95da4650ed54

  • SHA1

    44c32dfae9ac971c3651adbd82c821971a5400dc

  • SHA256

    09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c

  • SHA512

    ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0.exe
    "C:\Users\Admin\AppData\Local\Temp\0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3944
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1130500.dll

    Filesize

    64KB

    MD5

    45dc749351fd65d71da89ca2ed2766cb

    SHA1

    e080faf81157b7f867cb56938c5e579c206af9b9

    SHA256

    391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

    SHA512

    7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

  • \??\c:\NT_Path.jpg

    Filesize

    54B

    MD5

    07277521a046f9c6cac3231f4ad8f2bf

    SHA1

    2ca41a99b4c86d6868c8fbdfe5352f6a8cf8f654

    SHA256

    bbb0a39264a7b00e4036d4d12512242ba76cff3d16f13f2f89309175b556000f

    SHA512

    2382a52cdf44d6da5cda53cdf8d79f658565896621f4d198465e0e9ad62d839bb81742f36e60e889d34b4e44b26eeb7fa2b49d61ee06d23a4f3feced1d3abd62

  • \??\c:\windows\filename.jpg

    Filesize

    10.7MB

    MD5

    367fa50b6ed9a31e932c535bb11f7e44

    SHA1

    6cad16d17f825bc06986b6a4a4a8653a93619081

    SHA256

    89e9820f4d84927d4f991de9d878190dfc797a71587d2600060d64da37761de2

    SHA512

    ab80860db42dd36ced4a6cb1ff8f3da8de927e0d686ff906c5e0227e8e30d6aab57eb7bf9bff4dc30c2cd9e2a59a291dcc6f16152a47caab9ad74b3243144f60