Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/10/2023, 14:16
231017-rk8n9scd4t 1017/10/2023, 14:14
231017-rj57racd3y 1018/01/2023, 09:10
230118-k42xhadg39 10Analysis
-
max time kernel
121s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18/01/2023, 09:10
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
798KB
-
MD5
90aadf2247149996ae443e2c82af3730
-
SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502
-
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
-
SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
SSDEEP
24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2036 tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2036 1272 tmp.exe 29 PID 1272 wrote to memory of 2036 1272 tmp.exe 29 PID 1272 wrote to memory of 2036 1272 tmp.exe 29 PID 1272 wrote to memory of 2036 1272 tmp.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Writes to the Master Boot Record (MBR)
PID:1204
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327B
MD52b01cf22aa01a589a15509128d590117
SHA15811b21161dec9e0c36e1d2205b6b9a30a98bb5a
SHA25607111154c7331970c9214da54a53c9675844cc400f419ae8ee3b8dc4dc7ce798
SHA51264604fbea7ce3be25acca4bba253bd204e35eb522b977ce20cceb0ff651e276c5492e148c17d416a4f531ae89a598da119e32a946c9e1876abfed17d40b08c7d