Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

9b70703453...8b.exe

windows7-x64

8

9b70703453...8b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    244s
  • max time network
    359s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b70703453eb80f60f513e5137d25aa18b0a0d81430ab0e0bee7e9258597b08b.exe

  • Size

    215KB

  • MD5

    4096b79465c5ca13a51d3796e45b2fb7

  • SHA1

    926df40f8eca0d24dfb3a2d52d76c21e8485594f

  • SHA256

    9b70703453eb80f60f513e5137d25aa18b0a0d81430ab0e0bee7e9258597b08b

  • SHA512

    ea104e334cb8f67da73b5fbdab10ca0484bf6c43c548722d8c1e21af7b571329fe3be847f5c7d7d95fddca8d6cbe3d2b18e29d7d1fe0b632d737d7cbf39f04dd

  • SSDEEP

    3072:asqSArBa4ElitwFx0iTME/R7QanRiyKdbnnVD4QSamvWTdcHiBPc/tS8Ey0P:aFxBa4VCx0FE/B9mdbnVDB5N1Buzi

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:332
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\9b70703453eb80f60f513e5137d25aa18b0a0d81430ab0e0bee7e9258597b08b.exe
      "C:\Users\Admin\AppData\Local\Temp\9b70703453eb80f60f513e5137d25aa18b0a0d81430ab0e0bee7e9258597b08b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\consrv.dll
    Filesize

    52KB

    MD5

    e60558bda4e220f494f7ef757f0bd725

    SHA1

    9e1215bdad1a51123a4eb012f1f4e3103ac436ed

    SHA256

    86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

    SHA512

    e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

    Download Submit

  • \Windows\System32\consrv.dll
    Filesize

    52KB

    MD5

    e60558bda4e220f494f7ef757f0bd725

    SHA1

    9e1215bdad1a51123a4eb012f1f4e3103ac436ed

    SHA256

    86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

    SHA512

    e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

    Download Submit

  • memory/332-70-0x0000000000890000-0x00000000008A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/692-54-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/692-55-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/692-56-0x0000000000450000-0x0000000000497000-memory.dmp

    Filesize

    284KB

    Download

  • memory/692-66-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/692-67-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1228-61-0x00000000029D0000-0x00000000029D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1228-65-0x00000000029D0000-0x00000000029D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1228-57-0x00000000029D0000-0x00000000029D6000-memory.dmp

    Filesize

    24KB

    Download