Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    196s
  • max time network
    213s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 02:13

General

  • Target

    cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe

  • Size

    75KB

  • MD5

    1585d0fe2a7ec9f710a016dee24b1e4f

  • SHA1

    6730f34bdf92b11346b1e34e36a7981d8cf55f7e

  • SHA256

    cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96

  • SHA512

    6c7d085a11bc0e91945896815f403546bafc09af4a0300b7822342a784a6cf81a8c4fad20dd88594625d1b9830081c33745532310c653bd13e5c78cfcd95a4d7

  • SSDEEP

    1536:+TEmpbswZUH3smQaNWT7lw2YrWCwtMfRBhijv9zwIeAAD3:+TEmuLc2QlwYCwRpu

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Blocklisted process makes network request 9 IoCs
  • Disables taskbar notifications via registry modification
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 25 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe
    "C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe
      "C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\SysWOW64\msiexec.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Adds policy Run key to start application
        • Blocklisted process makes network request
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:1920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-56-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1184-57-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1184-58-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1184-63-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1184-66-0x000000007EF90000-0x000000007EF96000-memory.dmp

    Filesize

    24KB

  • memory/1920-67-0x00000000000B0000-0x00000000000C4000-memory.dmp

    Filesize

    80KB

  • memory/1920-68-0x000000007EF90000-0x000000007EF96000-memory.dmp

    Filesize

    24KB

  • memory/2036-54-0x0000000076401000-0x0000000076403000-memory.dmp

    Filesize

    8KB

  • memory/2036-55-0x0000000074EA0000-0x000000007544B000-memory.dmp

    Filesize

    5.7MB

  • memory/2036-61-0x0000000074EA0000-0x000000007544B000-memory.dmp

    Filesize

    5.7MB