Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    7s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 14:10

General

  • Target

    a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe

  • Size

    20KB

  • MD5

    25e6e867b08bc91d8ca831f6c23f3652

  • SHA1

    8ce8a45b06ab5d13ff7ad77fed6c9f2b7e06b1ef

  • SHA256

    a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f

  • SHA512

    45f7d23ac43541b543fe909378b2e8d4099c4e4fe97c7edb1ec24099ba3f79c5174f08007446979f1ef70d664368e0e31427e6b76e724c243fb78182280ec606

  • SSDEEP

    96:xo7+1EsyLMa7ZiJzmnsIgeuLrGsqUTPf9nNhHDsxTmmLMugN:M0EnMaMNRrGsqUxNhHDYTmsMugN

Score
8/10

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
    "C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\gskh83jejh4.inf
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
            PID:1468

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gskh83jejh4.inf

      Filesize

      361B

      MD5

      618642199b4ebd8d873330dad867dde6

      SHA1

      2c5c409ef3f7f39850779d998338a2b29cb919f3

      SHA256

      7bfed1c63032c382904af6a219b4660fbb562b3d3a36797c824aedc034f8a108

      SHA512

      eda5a9ef387caf84949b490e7a2d2fd602e412141e2d81d2fe13fd4b4925dea662c65a3d6bc548de2f42d117986a6ee174ecca1c57555fb32dfb5bb9bce1e53a

    • memory/1732-57-0x0000000075521000-0x0000000075523000-memory.dmp

      Filesize

      8KB

    • memory/1776-58-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1776-62-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB