Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
Resource
win10v2004-20220812-en
General
-
Target
1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe
-
Size
296KB
-
MD5
5ca14e99d748f71d726d813bf574b11e
-
SHA1
fb3eb15fb5d97236625591fd6511459019b8214f
-
SHA256
1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38
-
SHA512
be208be98964ee7b2ece5c0a2e5207b7e34406b4b23638168e6185a32dd2f6cf437bc908f39e15c81921174e14e4cc52969e3004ceabb458787eec38faa1a947
-
SSDEEP
6144:IoOeH4vkd5jIxRFKA5tl1mnLZrWz3ZnnW/Mq3gg+FGtFrKs0MjDTQP/6oHp:IfeH4K5jal4yW/MMnwGtFmsy3P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 896 niylb.exe -
Deletes itself 1 IoCs
pid Process 1496 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run niylb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niylb = "C:\\Users\\Admin\\AppData\\Roaming\\Adkoy\\niylb.exe" niylb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1764 set thread context of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe 896 niylb.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1764 wrote to memory of 896 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 28 PID 1764 wrote to memory of 896 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 28 PID 1764 wrote to memory of 896 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 28 PID 1764 wrote to memory of 896 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 28 PID 896 wrote to memory of 1120 896 niylb.exe 19 PID 896 wrote to memory of 1120 896 niylb.exe 19 PID 896 wrote to memory of 1120 896 niylb.exe 19 PID 896 wrote to memory of 1120 896 niylb.exe 19 PID 896 wrote to memory of 1120 896 niylb.exe 19 PID 896 wrote to memory of 1176 896 niylb.exe 18 PID 896 wrote to memory of 1176 896 niylb.exe 18 PID 896 wrote to memory of 1176 896 niylb.exe 18 PID 896 wrote to memory of 1176 896 niylb.exe 18 PID 896 wrote to memory of 1176 896 niylb.exe 18 PID 896 wrote to memory of 1204 896 niylb.exe 17 PID 896 wrote to memory of 1204 896 niylb.exe 17 PID 896 wrote to memory of 1204 896 niylb.exe 17 PID 896 wrote to memory of 1204 896 niylb.exe 17 PID 896 wrote to memory of 1204 896 niylb.exe 17 PID 896 wrote to memory of 1764 896 niylb.exe 27 PID 896 wrote to memory of 1764 896 niylb.exe 27 PID 896 wrote to memory of 1764 896 niylb.exe 27 PID 896 wrote to memory of 1764 896 niylb.exe 27 PID 896 wrote to memory of 1764 896 niylb.exe 27 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29 PID 1764 wrote to memory of 1496 1764 1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe"C:\Users\Admin\AppData\Local\Temp\1a252aca8dd53842529529aff8eafa6ccb495a7c7efd0ef7b421bb8d34261b38.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe"C:\Users\Admin\AppData\Roaming\Adkoy\niylb.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RSQ906C.bat"3⤵
- Deletes itself
PID:1496
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303B
MD54ce61661f04672a10949dd908d99b433
SHA16a8d8686308255cf17f8e5a9857c50fff306e056
SHA256a93d4bc0394fd71f1fbbfcb9109ff109f4a2b55c97985b3d85e7b251c7737d82
SHA5122a61c125593d126cc9576556fbc44a762eb39cbd7d951bffa7e363a636df8f0bf372f11bc1412a4593d424b8f3cd6e6ff53c045a70f667c88e9b5bbb1a03f06f
-
Filesize
296KB
MD5149bd411ddad6fa0227552402822791c
SHA15d33d9c29409d4f670ba7ee40f29df366d0c9c3d
SHA2564db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e
SHA512e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09
-
Filesize
296KB
MD5149bd411ddad6fa0227552402822791c
SHA15d33d9c29409d4f670ba7ee40f29df366d0c9c3d
SHA2564db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e
SHA512e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09
-
Filesize
296KB
MD5149bd411ddad6fa0227552402822791c
SHA15d33d9c29409d4f670ba7ee40f29df366d0c9c3d
SHA2564db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e
SHA512e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09
-
Filesize
296KB
MD5149bd411ddad6fa0227552402822791c
SHA15d33d9c29409d4f670ba7ee40f29df366d0c9c3d
SHA2564db55e61d47fffb49cedf7b19d85a5c70fb35f72ed99bee33acfb802dd8bb83e
SHA512e1456797f5595fcca4a2aa6d986a073b77159bce8ace9bf61bfa0073dc633de27c425d2516f81d8f4ffa9d30f92f372adaefa39c91a10f2231546ca1f1a7ec09