Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2025, 04:00

General

  • Target

    e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe

  • Size

    283KB

  • MD5

    5568dd7f573dde864b800e2f4db0011f

  • SHA1

    b18f41952865be0e38a9f61702d6d72866a76626

  • SHA256

    e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c

  • SHA512

    da06b1addde5f7f355da21a0f1ec8a96d6d0acb486ff06c27d5b67bf8351989877c9f7ca48f6b49fe8f3111c85b6ef3bf81b9674b93e7f061d2c21882ec954c4

  • SSDEEP

    6144:XhR0F/vfDPYvVVPVtN7EJtUHbQrokoauY5bXngqVX3MQ0x6fX65:a/nAhEJteQreLY5bXgI50xIK5

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe
    "C:\Users\Admin\AppData\Local\Temp\e991b2a533dbec2853a00547d5158d9be1d432abc812937b9acd46155a9c204c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\staitr.exe
      "C:\staitr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2416
    • C:\¿Õ³Ç1.19.exe
      "C:\¿Õ³Ç1.19.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\staitr.exe

    Filesize

    124KB

    MD5

    e1318901404602a0a03eb59b65e6e068

    SHA1

    c0086f6aeb026f0ab2c3a8fa5197603484ca91a0

    SHA256

    8e93f5fb32c37654b7149ee9381faaa8aede9b202e17fe2011015174920d77c7

    SHA512

    32d58129cebbfcba9a346b26446093dd671aee9049fb87f6fffd6036dbb5309202bbef977b9b0cda0b4bfd39cc883a7695b0cbf2a3fb617c767fbf2b4ca64fee

  • C:\¿Õ³Ç1.19.exe

    Filesize

    207KB

    MD5

    a31a549daa01243092bfb7545c64cdd2

    SHA1

    cf5c592a47cdf5b661bb6d00f163c9afaaf2e73f

    SHA256

    841c688c7a97fa8b0e0f3b1eab984c153aca0058368330dcdf07fae0a4ce97fa

    SHA512

    bbc114f3dfc28ac72c070873f1298b306f605ce3b13b4947bfff94cefc394cfea27f9587fa2f5b62934d37cf5e6f77890f7ae2c9863cf00a366b4b9a4ecb63ef

  • memory/640-21-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

  • memory/640-32-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB