Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
247s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
Resource
win10v2004-20221111-en
General
-
Target
56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
-
Size
351KB
-
MD5
bffb04890d8df7e4afdc1d5dfcb3248a
-
SHA1
10dd863a8314dcd0ea685c4c9425a80423bc81d1
-
SHA256
56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca
-
SHA512
54e443f028d043d57ff81affe51fc54ef3630ef326209d2263433c4fe80b3c34c1da82e7f8e6054f819f34c917e8632875c87b8b67058864dc37567fbeb82b11
-
SSDEEP
6144:Z3c4cg0RO2MzGYfGAAUkPlBDdIKTss+daU1yFKhPozGafzD:ZiBTMCYuAAf9ow1+daMyFFaafv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1760 ECFs098AK.exe 1304 ECFs098AK.exe -
Deletes itself 1 IoCs
pid Process 1304 ECFs098AK.exe -
Loads dropped DLL 4 IoCs
pid Process 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 1304 ECFs098AK.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\G2tUpMukuStslaS = "C:\\ProgramData\\atGn4JEoj\\ECFs098AK.exe" 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 476 set thread context of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 1760 set thread context of 1304 1760 ECFs098AK.exe 30 PID 1304 set thread context of 1672 1304 ECFs098AK.exe 32 -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 476 wrote to memory of 776 476 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 28 PID 776 wrote to memory of 1760 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 29 PID 776 wrote to memory of 1760 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 29 PID 776 wrote to memory of 1760 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 29 PID 776 wrote to memory of 1760 776 56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe 29 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1760 wrote to memory of 1304 1760 ECFs098AK.exe 30 PID 1304 wrote to memory of 1744 1304 ECFs098AK.exe 31 PID 1304 wrote to memory of 1744 1304 ECFs098AK.exe 31 PID 1304 wrote to memory of 1744 1304 ECFs098AK.exe 31 PID 1304 wrote to memory of 1744 1304 ECFs098AK.exe 31 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32 PID 1304 wrote to memory of 1672 1304 ECFs098AK.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776 -
C:\ProgramData\atGn4JEoj\ECFs098AK.exe"C:\ProgramData\atGn4JEoj\ECFs098AK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\ProgramData\atGn4JEoj\ECFs098AK.exe"C:\ProgramData\atGn4JEoj\ECFs098AK.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /i:13045⤵PID:1744
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" /i:13045⤵PID:1672
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4
-
Filesize
351KB
MD5bffb04890d8df7e4afdc1d5dfcb3248a
SHA110dd863a8314dcd0ea685c4c9425a80423bc81d1
SHA25656b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca
SHA51254e443f028d043d57ff81affe51fc54ef3630ef326209d2263433c4fe80b3c34c1da82e7f8e6054f819f34c917e8632875c87b8b67058864dc37567fbeb82b11
-
Filesize
351KB
MD55a1c4b11cfe5bd389b2da7fcda1e0e3c
SHA105dad81e3ab2e292713969680cff2abe87b22234
SHA25658e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa
SHA512f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4