Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 11:26 UTC

General

  • Target

    100.exe

  • Size

    75KB

  • MD5

    6fe5189a35abb1d99830e92de024bd2d

  • SHA1

    add93a5ad62ff4d923f68661727ea0c37d2053fd

  • SHA256

    9e3ad5186e3784d866a3ed9a41e61a1ff2fbb983ce8edb330a3b069f452b636d

  • SHA512

    7f28b95a47947f75c10763dec5a22fc77b9d249144e24c8de8824dba0dc375729f1b8a4e4aa9faeb3031ee11d1e38afbc167904f5a5061390d896673b414950c

  • SSDEEP

    768:tbyvTDdVf5ozWBYP5SywTwiN9dguJcF4Qhc4VjsS8jAnKNu6LUEscg6U2:tbyvtVRsWyP55wTwiT2hBjsV61nV2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\100.exe
    "C:\Users\Admin\AppData\Local\Temp\100.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\AvastUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\AvastUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AvastUpdate.exe" "AvastUpdate.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1468

Network

  • flag-unknown
    DNS
    titoownz.ddns.net
    AvastUpdate.exe
    Remote address:
    8.8.8.8:53
    Request
    titoownz.ddns.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    titoownz.ddns.net
    dns
    AvastUpdate.exe
    63 B
    123 B
    1
    1

    DNS Request

    titoownz.ddns.net

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AvastUpdate.exe

    Filesize

    75KB

    MD5

    6fe5189a35abb1d99830e92de024bd2d

    SHA1

    add93a5ad62ff4d923f68661727ea0c37d2053fd

    SHA256

    9e3ad5186e3784d866a3ed9a41e61a1ff2fbb983ce8edb330a3b069f452b636d

    SHA512

    7f28b95a47947f75c10763dec5a22fc77b9d249144e24c8de8824dba0dc375729f1b8a4e4aa9faeb3031ee11d1e38afbc167904f5a5061390d896673b414950c

  • C:\Users\Admin\AppData\Local\Temp\AvastUpdate.exe

    Filesize

    75KB

    MD5

    6fe5189a35abb1d99830e92de024bd2d

    SHA1

    add93a5ad62ff4d923f68661727ea0c37d2053fd

    SHA256

    9e3ad5186e3784d866a3ed9a41e61a1ff2fbb983ce8edb330a3b069f452b636d

    SHA512

    7f28b95a47947f75c10763dec5a22fc77b9d249144e24c8de8824dba0dc375729f1b8a4e4aa9faeb3031ee11d1e38afbc167904f5a5061390d896673b414950c

  • \Users\Admin\AppData\Local\Temp\AvastUpdate.exe

    Filesize

    75KB

    MD5

    6fe5189a35abb1d99830e92de024bd2d

    SHA1

    add93a5ad62ff4d923f68661727ea0c37d2053fd

    SHA256

    9e3ad5186e3784d866a3ed9a41e61a1ff2fbb983ce8edb330a3b069f452b636d

    SHA512

    7f28b95a47947f75c10763dec5a22fc77b9d249144e24c8de8824dba0dc375729f1b8a4e4aa9faeb3031ee11d1e38afbc167904f5a5061390d896673b414950c

  • memory/1388-63-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1388-64-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1960-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

    Filesize

    8KB

  • memory/1960-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1960-56-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1960-62-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.