Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    173s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 04:13

General

  • Target

    661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

  • Size

    543KB

  • MD5

    825100d6daff20bdd270b180f808d806

  • SHA1

    c79792ebd55b9b917b80eb96c5775c3b82e802b7

  • SHA256

    661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817

  • SHA512

    4e1097be9dfcd225739d9e5c25b98bb7e3eccc1ea7b31b849c474fb67290e6262c78b188971f3e6217036e76c83e476d33d930ffebe2c2f3d92adf62372f497c

  • SSDEEP

    6144:oa7m8DALU2df1HgpW+AvnfHFfCzGaEsu3c3ylXbWSullT/qYsgbWa6nU52QSFpnz:PUk5L52QSFpIc3bIKTsusSDz8hFPhs7

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
    "C:\Users\Admin\AppData\Local\Temp\661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\PROGRA~3\MICROS~1\dllhost.exe
      C:\PROGRA~3\MICROS~1\dllhost.exe /a 1
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\PROGRA~3\MICROS~1\dllhost.exe
        C:\PROGRA~3\MICROS~1\dllhost.exe /a 2
        3⤵
        • Executes dropped EXE
        PID:4584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\MICROS~1\dllhost.exe

    Filesize

    543KB

    MD5

    cb3a643097a29585754a90beb0b52289

    SHA1

    998922b4975fdf1f5a8d0f616e51454fa39f3af4

    SHA256

    7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

    SHA512

    9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

  • C:\ProgramData\Microsoft\dllhost.exe

    Filesize

    543KB

    MD5

    cb3a643097a29585754a90beb0b52289

    SHA1

    998922b4975fdf1f5a8d0f616e51454fa39f3af4

    SHA256

    7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

    SHA512

    9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

  • C:\ProgramData\Microsoft\dllhost.exe

    Filesize

    543KB

    MD5

    cb3a643097a29585754a90beb0b52289

    SHA1

    998922b4975fdf1f5a8d0f616e51454fa39f3af4

    SHA256

    7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

    SHA512

    9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

  • C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

    Filesize

    10B

    MD5

    0add040528c8215d040ce3489ad106ad

    SHA1

    181f07eedc4bcd43efbe1d88880eaf2806eecb3a

    SHA256

    27abd241b03c78cb1d40cc8b51c69958ac4ec1b192d9b65b101bbeba39cd0106

    SHA512

    a485664036cfae46939595f61718ecd2c9d17f985da9213e1fc394f59442eebda9351d258260a0f00895186bc62b20f16d3a5921a45666431c2b6aa9b9876393