Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 12:53

General

  • Target

    85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe

  • Size

    292KB

  • MD5

    7d28a193f98076e664e867465f8e3036

  • SHA1

    436149160a074611e1a37e575e36cc0e73a6ad10

  • SHA256

    85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

  • SHA512

    924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb

  • SSDEEP

    6144:qDxBj6B6kQu1WTminflPN80PxpkJP9sF2GtxvEvCOw5bImJIU:r6k+Tmin80PPesFFxMv2BImGU

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      PID:1668
  • C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
    "C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:1812

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

      Filesize

      292KB

      MD5

      7d28a193f98076e664e867465f8e3036

      SHA1

      436149160a074611e1a37e575e36cc0e73a6ad10

      SHA256

      85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

      SHA512

      924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb

    • C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

      Filesize

      292KB

      MD5

      7d28a193f98076e664e867465f8e3036

      SHA1

      436149160a074611e1a37e575e36cc0e73a6ad10

      SHA256

      85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

      SHA512

      924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb

    • C:\Windows\uninstal.bat

      Filesize

      254B

      MD5

      ab4917dddcb1b2ff51aaea673379c6e0

      SHA1

      c82758e9d6439a4021d63406e9cb7b13dbe35fc8

      SHA256

      5a230b7d6c655c1c575e8adf38b3c0d19ee8afac1177a0f5a2e373a4d3956ee1

      SHA512

      9544ab85fd16e1ce4c09785e0863a6d2640707cde3c866ebdf71409c6132e9c367bc7e48e942f9c8c58e66cacc27698c3310928ee5321146f3c9794a3dd26d4c

    • memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

      Filesize

      8KB

    • memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp

      Filesize

      1.1MB