Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 04:00

General

  • Target

    e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe

  • Size

    283KB

  • MD5

    5568dd7f573dde864b800e2f4db0011f

  • SHA1

    b18f41952865be0e38a9f61702d6d72866a76626

  • SHA256

    e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c

  • SHA512

    da06b1addde5f7f355da21a0f1ec8a96d6d0acb486ff06c27d5b67bf8351989877c9f7ca48f6b49fe8f3111c85b6ef3bf81b9674b93e7f061d2c21882ec954c4

  • SSDEEP

    6144:XhR0F/vfDPYvVVPVtN7EJtUHbQrokoauY5bXngqVX3MQ0x6fX65:a/nAhEJteQreLY5bXgI50xIK5

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe
    "C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\staitr.exe
      "C:\staitr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ksafetray.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
    • C:\¿Õ³Ç1.19.exe
      "C:\¿Õ³Ç1.19.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\staitr.exe

    Filesize

    124KB

    MD5

    e1318901404602a0a03eb59b65e6e068

    SHA1

    c0086f6aeb026f0ab2c3a8fa5197603484ca91a0

    SHA256

    8e93f5fb32c37654b7149ee9381faaa8aede9b202e17fe2011015174920d77c7

    SHA512

    32d58129cebbfcba9a346b26446093dd671aee9049fb87f6fffd6036dbb5309202bbef977b9b0cda0b4bfd39cc883a7695b0cbf2a3fb617c767fbf2b4ca64fee

  • C:\¿Õ³Ç1.19.exe

    Filesize

    207KB

    MD5

    a31a549daa01243092bfb7545c64cdd2

    SHA1

    cf5c592a47cdf5b661bb6d00f163c9afaaf2e73f

    SHA256

    841c688c7a97fa8b0e0f3b1eab984c153aca0058368330dcdf07fae0a4ce97fa

    SHA512

    bbc114f3dfc28ac72c070873f1298b306f605ce3b13b4947bfff94cefc394cfea27f9587fa2f5b62934d37cf5e6f77890f7ae2c9863cf00a366b4b9a4ecb63ef

  • memory/316-19-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2228-15-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

  • memory/2228-17-0x0000000000230000-0x00000000002D8000-memory.dmp

    Filesize

    672KB

  • memory/2228-18-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB