Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 11:46

General

  • Target

    2399bce7611824e5c567f6a1f7b607af48303513ed26a23291a7744f5bc5badd.exe

  • Size

    309KB

  • MD5

    6cbc7e6d153fc19965a2c9baa9a74590

  • SHA1

    a73364f246c9dfa1391f7643a487d9918acfce10

  • SHA256

    2399bce7611824e5c567f6a1f7b607af48303513ed26a23291a7744f5bc5badd

  • SHA512

    408ea4a47aa987ec6fc6954f48105c160567389833aaf313ac94fdc09f4db519c9b0c3c9d03898999ed277ca2d60c980a45363557381b7de02056d6c0cd522c0

  • SSDEEP

    6144:n9UfckvcZvGexZBBgiDPxnzNoLyW6y+Mnzi6K0jQRRfhYp6RE05dpg00:9Nkvk+QMYP5AWqziBZJpg00

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2399bce7611824e5c567f6a1f7b607af48303513ed26a23291a7744f5bc5badd.exe
    "C:\Users\Admin\AppData\Local\Temp\2399bce7611824e5c567f6a1f7b607af48303513ed26a23291a7744f5bc5badd.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe http://www.v258.net/list/list16.html?mmm
      2⤵
        PID:936
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\eeFi1.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
          3⤵
          • Drops file in Program Files directory
          • Drops file in Windows directory
          PID:2012
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v258.net/list/list16.html?mmm
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:280
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\eeFi1.bat

      Filesize

      98B

      MD5

      ada787702460241a372c495dc53dbdcf

      SHA1

      da7d65ec9541fe9ed13b3531f38202f83b0ac96d

      SHA256

      0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

      SHA512

      c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JF3BBYQ4.txt

      Filesize

      593B

      MD5

      d7d7760dc4ffc6f1daab56e90e61d20e

      SHA1

      3fa294ee6a994ff23a3425233d9580f5b5e13803

      SHA256

      185e0c4c5941df3dfdac336dcafc002286a8dbf1b48a559923a55fe3a86d708c

      SHA512

      7541611bac497b473f87c44728173eb950f34b1556170c34c48294d7560596c9b1f4456c14c453023bb25cd1c3d29c445cbb5015625e9f9c9597f7f9ca7dbea7

    • \??\c:\users\admin\appdata\local\temp\ico.cab

      Filesize

      20KB

      MD5

      1319e9998cedc513c68fa6d590b6ad63

      SHA1

      ae95b333e88a13886994f320f5dfb4856168a710

      SHA256

      9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

      SHA512

      d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

    • memory/936-64-0x0000000074891000-0x0000000074893000-memory.dmp

      Filesize

      8KB

    • memory/1080-65-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

      Filesize

      8KB

    • memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

      Filesize

      8KB

    • memory/1592-55-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/1592-59-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/1592-66-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB