Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
Resource
win10v2004-20221111-en
General
-
Target
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
-
Size
1.7MB
-
MD5
7c9ae9ccfe7eac83b4ddddd9cc01212d
-
SHA1
bb07847d73cd18caee230b59c8077915c091a9b4
-
SHA256
a71bf0c058f1e499400fc4d75dbb5bed6a90526cbc7597317b702f20c464c7bb
-
SHA512
5444e38b75725d20d92f4b0a0f362162d53b4f7a084d8e3aac81c26d7c3b7e1d934fed5fb39a6f00162fe9be63c72b881480b677100095b79a9514689a0b98c8
-
SSDEEP
49152:sMAaOSOOSjiNN+x3Oj1UMXg6iVTC6YLElQItj3kiU:7tQiT+x6eTQe3XU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1936 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1552 wrote to memory of 1936 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 28 PID 1552 wrote to memory of 1936 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 28 PID 1552 wrote to memory of 1936 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 28 PID 1552 wrote to memory of 1936 1552 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1936
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593.2MB
MD5dc445e89280255e62e5b493e77854c5a
SHA15d93c55b8b529f54ca64fca7b4598aeefd6803d8
SHA2562e108f0956a449e5ab0c8aca29a189fcaa8b0cdea7cbaf3d3babc125dc174440
SHA512ac5197903088bda320d34611d021b5b792e57a9da8ce400d47c6d4b49fe47e95ccbf23cc2f644681875414396ac3812e0058cb45f65d763cdd0f9096bd1cba6e
-
Filesize
625.6MB
MD5e5df1e25d257a3160a18186422eb726b
SHA1f4f506d108677ed1c99cc1c3bf145fd598d745a9
SHA2562205623e673addabe559808d6e0e7579d491c993f4097b24b44614c22c422c26
SHA51257335d4564f74a37354118bce1374b9d46b4b48adc393a3e1d322ef262394082c6a1e566b747e71a147140db0c7bc251c11a495f7affd79901972ef7936f0e84
-
Filesize
580.6MB
MD57c50d089cf80e635382d8d304b02f497
SHA14360237565db50e20aaa2c26a6635f19505f796b
SHA256c90977acb5a302886c7fd72c1e8ecebc22fc1870e18daeb9d266294468899a9e
SHA5125a498f51a4733c461a8ed602f82e19fa3a68315a831bea382557aaba6bc80d081e7dcab7ede3f619dc6969660a25cc48d5f0c75438257e45b2257d1333f72e83