Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
247s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe
Resource
win10v2004-20221111-en
General
-
Target
b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe
-
Size
327KB
-
MD5
c8b35bda3870044f416dc32c0fd45646
-
SHA1
c98d330d000e8e2a497f050c6eeceb751c475c0d
-
SHA256
b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2
-
SHA512
90603064045e4df00eabd3bc2c5439ed71dfc9f649c1dc4a86803741c265cb334998c2340db9d4cdc658cffb66478ad78f65de4fac17683caded1a75e1e1e66f
-
SSDEEP
6144:ROrb/7NraKU6SK9EE7RkCVAwDBYsMIrAj+eyJmSbPTOs0c9PQdMb1ljIf7Sny:RoT7NzUPK9EE7hzxAjZyJmSXOs0mPQOW
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 576 DSA.EXE 1936 Hacker.com.cn.exe -
Loads dropped DLL 3 IoCs
pid Process 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 576 DSA.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe DSA.EXE File opened for modification C:\Windows\Hacker.com.cn.exe DSA.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 576 DSA.EXE Token: SeDebugPrivilege 1936 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1936 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 772 wrote to memory of 576 772 b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe 27 PID 1936 wrote to memory of 1208 1936 Hacker.com.cn.exe 29 PID 1936 wrote to memory of 1208 1936 Hacker.com.cn.exe 29 PID 1936 wrote to memory of 1208 1936 Hacker.com.cn.exe 29 PID 1936 wrote to memory of 1208 1936 Hacker.com.cn.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe"C:\Users\Admin\AppData\Local\Temp\b138c7c0f7c462bd3b78ae7fdd98903f87560aab8bae6ecd4847be2b551c52e2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSA.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSA.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1208
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6
-
Filesize
290KB
MD5fb5d9233faca3ceaec5cd99ea9dc27ed
SHA1ec10a970b246c88e2b5f1371bdc4829feb9f5e4d
SHA2567dcb83d6d422e8eb550a7c6933b74bbf1f00b79f5fd09e45d281f17383822ebe
SHA512bf2834def89f1a6b83a4f3b5a45c9651915f17b7ceddecf8abbe9a6c6d0c41eb143282c3b36b6bb222e4fce79697931d333cf5ab6f00cbe142677f2bfbed4bb6