Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    205s
  • max time network
    205s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 03:26

General

  • Target

    2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe

  • Size

    277KB

  • MD5

    eda44d677d19df0a7b4133f6868452ae

  • SHA1

    6446040c726f5936045ff83a6cfe9414bd3459d6

  • SHA256

    2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35

  • SHA512

    cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28

  • SSDEEP

    6144:/CoQdB4uzlGz2XiU4xlYxgdZGEKHPr4n3yJWmdrctll:/0qylGWX4ixgdZGEKH0nmWSrIl

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
    "C:\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe

    Filesize

    277KB

    MD5

    eda44d677d19df0a7b4133f6868452ae

    SHA1

    6446040c726f5936045ff83a6cfe9414bd3459d6

    SHA256

    2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35

    SHA512

    cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28

  • \Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe

    Filesize

    277KB

    MD5

    eda44d677d19df0a7b4133f6868452ae

    SHA1

    6446040c726f5936045ff83a6cfe9414bd3459d6

    SHA256

    2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35

    SHA512

    cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28

  • memory/1724-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

    Filesize

    8KB

  • memory/1724-55-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/1724-60-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB