Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe
Resource
win7-20240903-en
General
-
Target
67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe
-
Size
207KB
-
MD5
9707616164d76d10b865f9927fbda739
-
SHA1
517ffc09fc482f459e3ce5d30b875f49a90b032f
-
SHA256
67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb
-
SHA512
80c43fa8208fc85db3e8baa66b6d5ce5dae9f144e385ca7a2d7ab72c321dddaed872af6c289f302cd2610c92c63395e1a72d2c0b5f269924871094dd3e41278d
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf
Malware Config
Extracted
gh0strat
107.163.241.193:6520
http://107.163.241.181:16300/
http://107.163.241.182:12354/login.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Signatures
-
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 1456 gpkwd.exe -
Executes dropped EXE 2 IoCs
pid Process 1456 gpkwd.exe 2176 qmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2176 qmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\ygbtw\\qmd.exe \"c:\\Program Files\\ygbtw\\qmdky.dll\",Compliance" qmd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: qmd.exe File opened (read-only) \??\z: qmd.exe File opened (read-only) \??\b: qmd.exe File opened (read-only) \??\l: qmd.exe File opened (read-only) \??\u: qmd.exe File opened (read-only) \??\v: qmd.exe File opened (read-only) \??\q: qmd.exe File opened (read-only) \??\a: qmd.exe File opened (read-only) \??\e: qmd.exe File opened (read-only) \??\n: qmd.exe File opened (read-only) \??\o: qmd.exe File opened (read-only) \??\p: qmd.exe File opened (read-only) \??\s: qmd.exe File opened (read-only) \??\g: qmd.exe File opened (read-only) \??\h: qmd.exe File opened (read-only) \??\k: qmd.exe File opened (read-only) \??\w: qmd.exe File opened (read-only) \??\x: qmd.exe File opened (read-only) \??\i: qmd.exe File opened (read-only) \??\j: qmd.exe File opened (read-only) \??\m: qmd.exe File opened (read-only) \??\r: qmd.exe File opened (read-only) \??\t: qmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 qmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\ygbtw gpkwd.exe File created \??\c:\Program Files\ygbtw\qmdky.dll gpkwd.exe File created \??\c:\Program Files\ygbtw\qmd.exe gpkwd.exe File opened for modification \??\c:\Program Files\ygbtw\qmd.exe gpkwd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpkwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3080 cmd.exe 2188 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString qmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2188 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2176 qmd.exe 2176 qmd.exe 2176 qmd.exe 2176 qmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2176 qmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4412 67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe 1456 gpkwd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4412 wrote to memory of 3080 4412 67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe 86 PID 4412 wrote to memory of 3080 4412 67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe 86 PID 4412 wrote to memory of 3080 4412 67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe 86 PID 3080 wrote to memory of 2188 3080 cmd.exe 88 PID 3080 wrote to memory of 2188 3080 cmd.exe 88 PID 3080 wrote to memory of 2188 3080 cmd.exe 88 PID 3080 wrote to memory of 1456 3080 cmd.exe 91 PID 3080 wrote to memory of 1456 3080 cmd.exe 91 PID 3080 wrote to memory of 1456 3080 cmd.exe 91 PID 1456 wrote to memory of 2176 1456 gpkwd.exe 92 PID 1456 wrote to memory of 2176 1456 gpkwd.exe 92 PID 1456 wrote to memory of 2176 1456 gpkwd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe"C:\Users\Admin\AppData\Local\Temp\67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gpkwd.exe "C:\Users\Admin\AppData\Local\Temp\67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\gpkwd.exeC:\Users\Admin\AppData\Local\Temp\\gpkwd.exe "C:\Users\Admin\AppData\Local\Temp\67135a3a62d198d93913f1339271eba468697bb9848d7971b2c704479cf2cefb.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\Program Files\ygbtw\qmd.exe"c:\Program Files\ygbtw\qmd.exe" "c:\Program Files\ygbtw\qmdky.dll",Compliance C:\Users\Admin\AppData\Local\Temp\gpkwd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD56722bd643b8a5e9d936abc807aa553e7
SHA12281cb18a162136b57929cc3bc93cbdfa96d7c0b
SHA256beac6dcd8a6ab3490ee75a87cab66545285dd54ca7669e25864e9a4421238950
SHA512782f8f92466ebc2951261921cc9fbbb56274e92f78b32f9c2d52a4136b4b878ef2e85ffd4ef4b89a761cd214ac710b05ffc1c5f906fce3ac22c64c7adb04f41e
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
141KB
MD5e3df6bbb0d5fe994cab05ccad962db8a
SHA1357b9184a1eab582130efd0e378df7b97d2304fb
SHA256d5eb81215e76d7213f06cde353c81c613849be0171a3a444e68d175a37a79b7d
SHA512c9302042c7700665d62b89b008cfa2bb8e54a0456dfdb0b7cf97377f17e6a8b32bf3054bdaa607da96ef2341231688314914771f4dba24094f2a8516e8555555