Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2023, 11:50

General

  • Target

    7c9ae9ccfe7eac83b4ddddd9cc01212d.exe

  • Size

    1.7MB

  • MD5

    7c9ae9ccfe7eac83b4ddddd9cc01212d

  • SHA1

    bb07847d73cd18caee230b59c8077915c091a9b4

  • SHA256

    a71bf0c058f1e499400fc4d75dbb5bed6a90526cbc7597317b702f20c464c7bb

  • SHA512

    5444e38b75725d20d92f4b0a0f362162d53b4f7a084d8e3aac81c26d7c3b7e1d934fed5fb39a6f00162fe9be63c72b881480b677100095b79a9514689a0b98c8

  • SSDEEP

    49152:sMAaOSOOSjiNN+x3Oj1UMXg6iVTC6YLElQItj3kiU:7tQiT+x6eTQe3XU

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    593.2MB

    MD5

    dc445e89280255e62e5b493e77854c5a

    SHA1

    5d93c55b8b529f54ca64fca7b4598aeefd6803d8

    SHA256

    2e108f0956a449e5ab0c8aca29a189fcaa8b0cdea7cbaf3d3babc125dc174440

    SHA512

    ac5197903088bda320d34611d021b5b792e57a9da8ce400d47c6d4b49fe47e95ccbf23cc2f644681875414396ac3812e0058cb45f65d763cdd0f9096bd1cba6e

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    625.6MB

    MD5

    e5df1e25d257a3160a18186422eb726b

    SHA1

    f4f506d108677ed1c99cc1c3bf145fd598d745a9

    SHA256

    2205623e673addabe559808d6e0e7579d491c993f4097b24b44614c22c422c26

    SHA512

    57335d4564f74a37354118bce1374b9d46b4b48adc393a3e1d322ef262394082c6a1e566b747e71a147140db0c7bc251c11a495f7affd79901972ef7936f0e84

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    580.6MB

    MD5

    7c50d089cf80e635382d8d304b02f497

    SHA1

    4360237565db50e20aaa2c26a6635f19505f796b

    SHA256

    c90977acb5a302886c7fd72c1e8ecebc22fc1870e18daeb9d266294468899a9e

    SHA512

    5a498f51a4733c461a8ed602f82e19fa3a68315a831bea382557aaba6bc80d081e7dcab7ede3f619dc6969660a25cc48d5f0c75438257e45b2257d1333f72e83

  • memory/1552-57-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/1552-54-0x00000000022A0000-0x000000000244A000-memory.dmp

    Filesize

    1.7MB

  • memory/1552-56-0x0000000002450000-0x0000000002820000-memory.dmp

    Filesize

    3.8MB

  • memory/1552-55-0x00000000022A0000-0x000000000244A000-memory.dmp

    Filesize

    1.7MB

  • memory/1552-63-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/1936-62-0x0000000001FE0000-0x000000000218A000-memory.dmp

    Filesize

    1.7MB

  • memory/1936-64-0x0000000001FE0000-0x000000000218A000-memory.dmp

    Filesize

    1.7MB

  • memory/1936-65-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/1936-66-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB