Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10/06/2022, 13:35 UTC

General

  • Target

    55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe

  • Size

    80KB

  • MD5

    cc43c6cdc0b3d5a09e63a438d5db6d57

  • SHA1

    efbfdc41e819422240cc2da85c9a0e358133bbc2

  • SHA256

    55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431

  • SHA512

    15f929a56cc005fca42d4cfb497dc6edc001355e2bd4f496fe279a0f988fdfeea56d4762043f38924763475fd42f239b74b9ea6e61a8e420b87b4725735412d7

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
    "C:\Users\Admin\AppData\Local\Temp\55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\runas.exe
      runas /trustlevel:0x20000 C:\Windows\explorer.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          4⤵
            PID:1480
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x494
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:580

    Network

      No results found
    • 93.115.21.45:27134
      55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
      1.0kB
      20
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/996-59-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

      Filesize

      8KB

    • memory/996-62-0x0000000002590000-0x00000000025A0000-memory.dmp

      Filesize

      64KB

    • memory/2016-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

      Filesize

      8KB

    • memory/2016-55-0x00000000748A0000-0x0000000074E4B000-memory.dmp

      Filesize

      5.7MB

    • memory/2016-61-0x00000000748A0000-0x0000000074E4B000-memory.dmp

      Filesize

      5.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.