Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe
-
Size
1.3MB
-
MD5
0b75dee0f0fb1cb7df705700426edd2a
-
SHA1
42468f33e421f0dfb6649983be7b6f40b2fc1525
-
SHA256
ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196
-
SHA512
f5db2208d1bd20b493365297416d6e0a5bc715629c5c181feb22dcbb8db81d2101354f4926c1d8757df63e80c1542a41bf5808bee7636e806a519b021ea1d23f
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN4:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1976-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1976-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe -
Executes dropped EXE 1 IoCs
pid Process 1740 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\X: sainbox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4684 cmd.exe 736 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 736 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe 1740 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1740 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe Token: SeLoadDriverPrivilege 1740 sainbox.exe Token: 33 1740 sainbox.exe Token: SeIncBasePriorityPrivilege 1740 sainbox.exe Token: 33 1740 sainbox.exe Token: SeIncBasePriorityPrivilege 1740 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1740 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 87 PID 1976 wrote to memory of 1740 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 87 PID 1976 wrote to memory of 1740 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 87 PID 1976 wrote to memory of 4684 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 88 PID 1976 wrote to memory of 4684 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 88 PID 1976 wrote to memory of 4684 1976 ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe 88 PID 4684 wrote to memory of 736 4684 cmd.exe 90 PID 4684 wrote to memory of 736 4684 cmd.exe 90 PID 4684 wrote to memory of 736 4684 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe"C:\Users\Admin\AppData\Local\Temp\ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AD4A2B~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:736
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD50b75dee0f0fb1cb7df705700426edd2a
SHA142468f33e421f0dfb6649983be7b6f40b2fc1525
SHA256ad4a2b6fd98c9bc4b85e45e3ddaaf80e9be40897ed4acc66133baad85320b196
SHA512f5db2208d1bd20b493365297416d6e0a5bc715629c5c181feb22dcbb8db81d2101354f4926c1d8757df63e80c1542a41bf5808bee7636e806a519b021ea1d23f