Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

848018a20c...9d.exe

windows7-x64

8

848018a20c...9d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    40s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    848018a20cfb5c2e2f496844353143c2ea7df3ed46a731ffb9b444313e41a89d.exe

  • Size

    122KB

  • MD5

    18ffb01905afcf56a083bab77e7d250a

  • SHA1

    553cd62a59d978624350ad41160e332c3577ad94

  • SHA256

    848018a20cfb5c2e2f496844353143c2ea7df3ed46a731ffb9b444313e41a89d

  • SHA512

    721c77d31e9ea7b361906778d015ea9995f520355e4eeed7f448f746e003da0a779538431b73835c315b40c8712e7422d0fe7a038a37f695d27de3edb4052621

  • SSDEEP

    3072:X6LzP3eJOGh6UOWRTwbyUD4sDjUrbbigt/xCro:6Gh6ZWhKymt/4OgJEro

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\848018a20cfb5c2e2f496844353143c2ea7df3ed46a731ffb9b444313e41a89d.exe
    "C:\Users\Admin\AppData\Local\Temp\848018a20cfb5c2e2f496844353143c2ea7df3ed46a731ffb9b444313e41a89d.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:1528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\848018a20cfb5c2e2f496844353143c2ea7df3ed46a731ffb9b444313e41a89d.exe"
      2⤵
      • Deletes itself
      • Loads dropped DLL
      PID:692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • \Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • \Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • \Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • \Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • \Windows\SysWOW64\HIMYM.DLL
    Filesize

    44KB

    MD5

    a210652a198f44ab68c705a7f21ed1d9

    SHA1

    e88654f61bd85388bcd3cd56272d6a59ad591911

    SHA256

    11ee4c430cac8669af711572b06b27c6b7e2729ebcf7cbe5c3ea073b86c8685a

    SHA512

    fbfdecb0194d300377f58a523e2b0134833b324ed22cc5c709b6ebf0e7bc0b561ecbbae7c0e2ff01a976d55f6c6faa789fb751237a91c534158e681b5b90c13f

    Download Submit

  • memory/692-67-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1232-65-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1232-56-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1232-55-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download