Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2022, 23:55

General

  • Target

    87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe

  • Size

    256KB

  • MD5

    7c35351f4c0d9a015e72fc237f672570

  • SHA1

    df7333669001df6d4aa9a1da275f4e5c0f499532

  • SHA256

    87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff

  • SHA512

    218e2a495223802267b7273f53ea21f0d12cbf769e773f2f8826cd099ec00421f8e36d1df918482c7f62fb8edc936c13b147184d7099c1a3e2505c8021d4547a

  • SSDEEP

    6144:LjheaN1bO8m9pEUFhuoY8laLSWmH60HwYg6XDNx:VfChkl/lj6Bx

Malware Config

Signatures

  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe
    "C:\Users\Admin\AppData\Local\Temp\87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\207411a8.exe
      C:\207411a8.exe
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2028
  • C:\Windows\SysWOW64\Svchost.exe
    C:\Windows\SysWOW64\Svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:1408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\207411a8.exe

    Filesize

    226KB

    MD5

    cf1466e3a3ebfaabd919fe01f4be17db

    SHA1

    90d57e3e173222394914189d24ad9408744d6dc7

    SHA256

    cb8cfeb89ff3870cc2b3599f1697999b7c005a3b17fd117b4de3aa86569fb222

    SHA512

    0b1e9ed13a8bc78fad400f5edf25c9b622c1841ffc4307dc38950acb9812f2eedd08b5ec61be1aa44a8ef7f8656671443411e44cf270e078bb3de0c249da4432

  • C:\207411a8.exe

    Filesize

    226KB

    MD5

    cf1466e3a3ebfaabd919fe01f4be17db

    SHA1

    90d57e3e173222394914189d24ad9408744d6dc7

    SHA256

    cb8cfeb89ff3870cc2b3599f1697999b7c005a3b17fd117b4de3aa86569fb222

    SHA512

    0b1e9ed13a8bc78fad400f5edf25c9b622c1841ffc4307dc38950acb9812f2eedd08b5ec61be1aa44a8ef7f8656671443411e44cf270e078bb3de0c249da4432

  • C:\Users\Infotmp.txt

    Filesize

    724B

    MD5

    3ab5bd44e709340df56e56bcc4d85610

    SHA1

    e4bf4ae27ad423bf494d418d0e9d01a7f0a6c9f0

    SHA256

    6c6f3a905bc56b3f63d1695a9125a5903b058cbb29aab04ab91d657086d00729

    SHA512

    e2ae20f4cf89f9e3a10a62d3ca49fbd19c4657040cedf11f8c324a2f5d226be5e289a843be959fb11fbca303d02e300d681b37f703e37878a65df236746194bc

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

    Filesize

    226KB

    MD5

    749f0a7119505ff40d98aef078d44d7f

    SHA1

    a56ed810a73ff7a0f4004224cc3fb7ca534cf20f

    SHA256

    fa51619f5efe4ddd281451a9ec27b4abb52aef70d1f8f65d169f0eba98c8c768

    SHA512

    48dfb6057f4235ec5a750065b779e6396f8cca19f3927c8ec7866951ba080b6b2aa688acb3bfa62cd721ab27e801f2c97488e9881557f59db4e94be3db424be4

  • \Windows\SysWOW64\5F5004AC.tmp

    Filesize

    226KB

    MD5

    749f0a7119505ff40d98aef078d44d7f

    SHA1

    a56ed810a73ff7a0f4004224cc3fb7ca534cf20f

    SHA256

    fa51619f5efe4ddd281451a9ec27b4abb52aef70d1f8f65d169f0eba98c8c768

    SHA512

    48dfb6057f4235ec5a750065b779e6396f8cca19f3927c8ec7866951ba080b6b2aa688acb3bfa62cd721ab27e801f2c97488e9881557f59db4e94be3db424be4

  • \Windows\SysWOW64\FastUserSwitchingCompatibility.dll

    Filesize

    226KB

    MD5

    749f0a7119505ff40d98aef078d44d7f

    SHA1

    a56ed810a73ff7a0f4004224cc3fb7ca534cf20f

    SHA256

    fa51619f5efe4ddd281451a9ec27b4abb52aef70d1f8f65d169f0eba98c8c768

    SHA512

    48dfb6057f4235ec5a750065b779e6396f8cca19f3927c8ec7866951ba080b6b2aa688acb3bfa62cd721ab27e801f2c97488e9881557f59db4e94be3db424be4

  • memory/1408-71-0x0000000075130000-0x0000000075178000-memory.dmp

    Filesize

    288KB

  • memory/1408-70-0x0000000075130000-0x0000000075178000-memory.dmp

    Filesize

    288KB

  • memory/1408-73-0x0000000075130000-0x0000000075178000-memory.dmp

    Filesize

    288KB

  • memory/1908-63-0x0000000000380000-0x00000000003C8000-memory.dmp

    Filesize

    288KB

  • memory/1908-75-0x0000000000400000-0x000000000043FEA8-memory.dmp

    Filesize

    255KB

  • memory/1908-62-0x0000000000400000-0x000000000043FEA8-memory.dmp

    Filesize

    255KB

  • memory/1908-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

    Filesize

    8KB

  • memory/2028-65-0x0000000002120000-0x0000000006120000-memory.dmp

    Filesize

    64.0MB

  • memory/2028-59-0x0000000000CD0000-0x0000000000D18000-memory.dmp

    Filesize

    288KB

  • memory/2028-58-0x0000000000CD0000-0x0000000000D18000-memory.dmp

    Filesize

    288KB

  • memory/2028-74-0x0000000076110000-0x0000000076170000-memory.dmp

    Filesize

    384KB

  • memory/2028-66-0x0000000076110000-0x0000000076170000-memory.dmp

    Filesize

    384KB

  • memory/2028-64-0x0000000000CD0000-0x0000000000D18000-memory.dmp

    Filesize

    288KB