Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    163s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 15:37

General

  • Target

    3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe

  • Size

    322KB

  • MD5

    91f4c8526869f34f38b8eed628b557a1

  • SHA1

    5757818e4bbcce1a481c70f1370578f190b676cb

  • SHA256

    3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb

  • SHA512

    b141483fed0ba742a2778659a1f7f28d969014c4016524e4bb478964c73755de4ccbd8815eec725573ba6fc40164955c97a77e4ed6979532695fb6a6ad824e87

  • SSDEEP

    6144:ukuP43GMaCXZgY9jYYp5fp1VNB0acuz0dqy1jQS:ukuP43GCXdjjpBVNBVfzBy1sS

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe
      "C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jxavmdt.dat

    Filesize

    244KB

    MD5

    be297f52018cebfad9af9b432a53af29

    SHA1

    5111aa620f29b77048b5da629336923ff1e3cf25

    SHA256

    fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb

    SHA512

    4bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c

  • \ProgramData\jxavmdt.dat

    Filesize

    244KB

    MD5

    be297f52018cebfad9af9b432a53af29

    SHA1

    5111aa620f29b77048b5da629336923ff1e3cf25

    SHA256

    fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb

    SHA512

    4bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c

  • memory/1032-54-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1032-55-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1032-56-0x0000000075501000-0x0000000075503000-memory.dmp

    Filesize

    8KB

  • memory/1032-58-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

  • memory/1032-65-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

  • memory/1032-68-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/1032-69-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

  • memory/1224-60-0x0000000002AE0000-0x0000000002B2D000-memory.dmp

    Filesize

    308KB

  • memory/1224-67-0x0000000003930000-0x0000000003998000-memory.dmp

    Filesize

    416KB

  • memory/1224-66-0x0000000002AE0000-0x0000000002B2D000-memory.dmp

    Filesize

    308KB