Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
Resource
win10v2004-20220812-en
General
-
Target
efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
-
Size
556KB
-
MD5
31f540d71dc2736cbb800cff43614e5b
-
SHA1
9030a350e82b54227bcacf87fe288a9e8494644a
-
SHA256
efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8
-
SHA512
66f07dce6fbf0645f6d191173d75213f321ba4a74fd148742a03965646391b21233a867be21a34b9015876d0ff1b4177900936e05b5e1da27fedf6a387ff0471
-
SSDEEP
12288:ecfgt23uT0QxsTPWXgFcG5jl7fwe91ngYdDsJyeqTWmhdnh:eugk3uw0sTPWQtjl7fwK1nBmyT
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wbem\wmisvapp.exe efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe File created C:\Windows\SysWOW64\wbem\wmisvapp.exe efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 580 efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 580 efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe"C:\Users\Admin\AppData\Local\Temp\efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe"1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:580