Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    104s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 14:44

General

  • Target

    8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

  • Size

    1.9MB

  • MD5

    9ab5316f8ee1944cc840f1f36f0c8994

  • SHA1

    5319af8e4de0418241e8fa875fb6810b928049a5

  • SHA256

    8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b

  • SHA512

    1832be33a9701149bd80a503208b698202c19d07449f7e960e3cbb22732df446afa1de2cea1cbdc5bfe9c298770e980f076f1a3f5717f39a0a40c256a833678c

  • SSDEEP

    49152:ZKDtHkYWvPfiVlemyn/xNzZiBEoKx1SYao:Zut/cPf8le9/xtoEoKTOo

Score
7/10

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
    "C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe"
    1⤵
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
      C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:816
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1276

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/816-62-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/816-73-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/816-72-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

    • memory/816-67-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/816-58-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/816-59-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/816-61-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/1048-57-0x0000000074E61000-0x0000000074E63000-memory.dmp

      Filesize

      8KB

    • memory/1048-65-0x0000000000400000-0x00000000007CB000-memory.dmp

      Filesize

      3.8MB

    • memory/1048-66-0x0000000004500000-0x00000000048CB000-memory.dmp

      Filesize

      3.8MB

    • memory/1048-54-0x0000000000400000-0x00000000007CB000-memory.dmp

      Filesize

      3.8MB

    • memory/1048-56-0x0000000000400000-0x00000000007CB000-memory.dmp

      Filesize

      3.8MB

    • memory/1048-55-0x00000000020F0000-0x000000000227B000-memory.dmp

      Filesize

      1.5MB

    • memory/1276-69-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB