Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

da2dfbb54b...22.exe

windows7-x64

10

da2dfbb54b...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 09:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da2dfbb54b240fd1b6e551ad26b0ad77559915b5d0002965d415a9a7b4429522.exe

  • Size

    655KB

  • MD5

    6e6ea69ead35be47191fb6609ac3e139

  • SHA1

    c2ac097b643bab9393d629b150a1832f711a414e

  • SHA256

    da2dfbb54b240fd1b6e551ad26b0ad77559915b5d0002965d415a9a7b4429522

  • SHA512

    9b5be7fa560f39701a9f7513e2f1d439e8d05d43c124154ea49462d4f1a2e7a4feb00a1017e5280ba819e2c003ccf4701ffe7661ae47efddc31ac277bfe39d0e

  • SSDEEP

    12288:NtKe6Zv23YdqMGHGSX1388BxGVI43GVpinJ2suEn23teGb/2tEgL+msup0l:d6Zv2jbW1SaUEn2deGbSEO+ruW

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da2dfbb54b240fd1b6e551ad26b0ad77559915b5d0002965d415a9a7b4429522.exe
    "C:\Users\Admin\AppData\Local\Temp\da2dfbb54b240fd1b6e551ad26b0ad77559915b5d0002965d415a9a7b4429522.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Modifies registry class
      PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\spoolsv.exe
    Filesize

    655KB

    MD5

    2651efbec96950f85ef4d70f7cb9a759

    SHA1

    2683b6c8c278484df76f40eb344b93907b6e127e

    SHA256

    a518232c88c2baaa4f68eb21dc13b77e9bad61b9ca5cbaa0f345a425ddc950b1

    SHA512

    aa0d31f2e27b03dec173900ba4fd2dd1dfc1facab2498678d59456d52ae8c050d6274b2222825ff41647472b68134f9784f03cf1c5a4becbb1fcb9984edff3bf

    Download Submit

  • memory/620-54-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/620-57-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/856-58-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/856-59-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.