Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Resource
win10v2004-20220812-en
General
-
Target
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
-
Size
875KB
-
MD5
0baf9124d7e983a20ee54e07b5e749d0
-
SHA1
6f7b68a0899bffe7c4fc0da6a1f46027341a4c41
-
SHA256
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd
-
SHA512
4010ae23efaef45bf9527cb2eaf4ab71293da13dcac4d7f417b4098ce338ca063af0e82f3f2225e87bb150ca9009f8c9bfed3c21585c567ade669e153df6ae57
-
SSDEEP
12288:FLozg61ikvvA3+Emo7ker5I/DbtSILfXOB3k3V/UnEIOKLS4QLDg:ug6osvA3L7ky5I34ca3UNyTOKLS4Q
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1744 win32.exe 1088 CAMSTE~1.EXE -
Loads dropped DLL 4 IoCs
pid Process 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 1744 win32.exe 1744 win32.exe 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x000c0000000122e9-55.dat agile_net behavioral1/files/0x000c0000000122e9-57.dat agile_net behavioral1/files/0x000c0000000122e9-59.dat agile_net behavioral1/files/0x000c0000000122e9-60.dat agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1744 win32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1744 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 27 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28 PID 1064 wrote to memory of 1088 1064 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMSTE~1.EXE2⤵
- Executes dropped EXE
PID:1088
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD5243cee9625b37e0773d1ddd3d69e1526
SHA12b7ca49b61fea948a78d50848d535be2d6c68009
SHA25628a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088
SHA512a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607
-
Filesize
427KB
MD5243cee9625b37e0773d1ddd3d69e1526
SHA12b7ca49b61fea948a78d50848d535be2d6c68009
SHA25628a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088
SHA512a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607
-
Filesize
403KB
MD563892ebce4036f604aa3bf3137904831
SHA199b4ad0983286aa3318ea71d88f359a2e34e3ad4
SHA256f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6
SHA512c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae
-
Filesize
403KB
MD563892ebce4036f604aa3bf3137904831
SHA199b4ad0983286aa3318ea71d88f359a2e34e3ad4
SHA256f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6
SHA512c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae
-
Filesize
119KB
MD53289e1d8d7227a102ec7345ce050776f
SHA10e3d5324a0e2a58219ff0e3664a930e0943e0cd6
SHA256bf81634b71d21be6f7c5515dc07ea2233a2d3f2a27c202348bfb9cd11b27789b
SHA51285627c2d47cf9890a25a587af7ed2ac73e3974992d974b3d50d8d92c973fcb899800fac10459deeebc456fef8ed1fab050be81fca824f58fee10dbd452a3bec5
-
Filesize
427KB
MD5243cee9625b37e0773d1ddd3d69e1526
SHA12b7ca49b61fea948a78d50848d535be2d6c68009
SHA25628a9667ed1bfa034979571d1a89da0965d9b137130d877b07eef865f714c0088
SHA512a1e398998f62cd3c782f632d6e338587c55100f81960a59886e174659538052483d6d7e588457a109d043f9c3e5fdcb4e2c5776286bb1a68ba3460e66527d607
-
Filesize
403KB
MD563892ebce4036f604aa3bf3137904831
SHA199b4ad0983286aa3318ea71d88f359a2e34e3ad4
SHA256f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6
SHA512c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae
-
Filesize
403KB
MD563892ebce4036f604aa3bf3137904831
SHA199b4ad0983286aa3318ea71d88f359a2e34e3ad4
SHA256f216524bbdda5343457fc8a951cc3a72e0259c4bfe3fd81d4f7e0709f96fc7e6
SHA512c7cc6a9f2e48ce20b3fa245ab58b746503e5a26bd7d46dfc8aad7000bbb122e7d845630171b19ec3d0690d1ce31731d371a6a93a79f225aaa44f4668646a1aae