Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe
Resource
win7-20240903-en
General
-
Target
e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe
-
Size
283KB
-
MD5
5568dd7f573dde864b800e2f4db0011f
-
SHA1
b18f41952865be0e38a9f61702d6d72866a76626
-
SHA256
e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c
-
SHA512
da06b1addde5f7f355da21a0f1ec8a96d6d0acb486ff06c27d5b67bf8351989877c9f7ca48f6b49fe8f3111c85b6ef3bf81b9674b93e7f061d2c21882ec954c4
-
SSDEEP
6144:XhR0F/vfDPYvVVPVtN7EJtUHbQrokoauY5bXngqVX3MQ0x6fX65:a/nAhEJteQreLY5bXgI50xIK5
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023d24-5.dat family_gh0strat -
Gh0strat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe -
Executes dropped EXE 2 IoCs
pid Process 2416 staitr.exe 640 ¿Õ³Ç1.19.exe -
resource yara_rule behavioral2/files/0x0009000000023d27-15.dat upx behavioral2/memory/640-21-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/640-32-0x0000000000400000-0x00000000004A8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language staitr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ¿Õ³Ç1.19.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe 640 ¿Õ³Ç1.19.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2416 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 91 PID 1048 wrote to memory of 2416 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 91 PID 1048 wrote to memory of 2416 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 91 PID 1048 wrote to memory of 640 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 92 PID 1048 wrote to memory of 640 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 92 PID 1048 wrote to memory of 640 1048 e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe"C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\staitr.exe"C:\staitr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\¿Õ³Ç1.19.exe"C:\¿Õ³Ç1.19.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5e1318901404602a0a03eb59b65e6e068
SHA1c0086f6aeb026f0ab2c3a8fa5197603484ca91a0
SHA2568e93f5fb32c37654b7149ee9381faaa8aede9b202e17fe2011015174920d77c7
SHA51232d58129cebbfcba9a346b26446093dd671aee9049fb87f6fffd6036dbb5309202bbef977b9b0cda0b4bfd39cc883a7695b0cbf2a3fb617c767fbf2b4ca64fee
-
Filesize
207KB
MD5a31a549daa01243092bfb7545c64cdd2
SHA1cf5c592a47cdf5b661bb6d00f163c9afaaf2e73f
SHA256841c688c7a97fa8b0e0f3b1eab984c153aca0058368330dcdf07fae0a4ce97fa
SHA512bbc114f3dfc28ac72c070873f1298b306f605ce3b13b4947bfff94cefc394cfea27f9587fa2f5b62934d37cf5e6f77890f7ae2c9863cf00a366b4b9a4ecb63ef