Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 14:42

General

  • Target

    855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe

  • Size

    662KB

  • MD5

    c6b01a57eb53feea05cbab7c1fc39c03

  • SHA1

    2ad9c7719783498514e712e450a0adaf60d09e6d

  • SHA256

    855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397

  • SHA512

    e576d0e5f32662bae817148dad9a7bce43ec971875924286c26c2b7745adec73c63976696545884640c7c8844274215bde3b80f7d692ef55f2914701d12daac7

  • SSDEEP

    12288:4ZoiuvhPq6VHX/wuoVjGFrGzcY7Vr8bBTgF3Z4mxxbgRoM9KkONLha4nfKE:cPuvhy61DFNY7R8bBgQmXbgOoGLPfKE

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
    "C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:1724
    • C:\Windows\Hacker.com.cn.exe
      C:\Windows\Hacker.com.cn.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:1732

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • C:\Windows\Hacker.com.cn.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • C:\Windows\Hacker.com.cn.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • C:\Windows\uninstal.bat

        Filesize

        160B

        MD5

        69e01c599950b5caf5cd7ec972f89682

        SHA1

        2d34ceced77c1f86417c00f706e06cc902b11e3b

        SHA256

        b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e

        SHA512

        48acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

        Filesize

        295KB

        MD5

        620acaa531c9ed2e93d57bb02a49d463

        SHA1

        b81fe0a9a1c49c7fdbc28d131500746eb8715b13

        SHA256

        5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

        SHA512

        4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

      • memory/784-61-0x0000000003160000-0x0000000003228000-memory.dmp

        Filesize

        800KB

      • memory/784-54-0x0000000001000000-0x0000000001104000-memory.dmp

        Filesize

        1.0MB

      • memory/784-69-0x0000000001000000-0x0000000001104000-memory.dmp

        Filesize

        1.0MB

      • memory/784-55-0x00000000001C0000-0x0000000000214000-memory.dmp

        Filesize

        336KB

      • memory/1488-72-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/1488-70-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/2008-68-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/2008-62-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/2008-60-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

        Filesize

        8KB