Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
Resource
win10v2004-20221111-en
General
-
Target
7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
-
Size
1.7MB
-
MD5
7c9ae9ccfe7eac83b4ddddd9cc01212d
-
SHA1
bb07847d73cd18caee230b59c8077915c091a9b4
-
SHA256
a71bf0c058f1e499400fc4d75dbb5bed6a90526cbc7597317b702f20c464c7bb
-
SHA512
5444e38b75725d20d92f4b0a0f362162d53b4f7a084d8e3aac81c26d7c3b7e1d934fed5fb39a6f00162fe9be63c72b881480b677100095b79a9514689a0b98c8
-
SSDEEP
49152:sMAaOSOOSjiNN+x3Oj1UMXg6iVTC6YLElQItj3kiU:7tQiT+x6eTQe3XU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2136 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 29 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 764 wrote to memory of 2136 764 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 85 PID 764 wrote to memory of 2136 764 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 85 PID 764 wrote to memory of 2136 764 7c9ae9ccfe7eac83b4ddddd9cc01212d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716.7MB
MD51d31e37e0afd421d5c453863bccceba8
SHA17c42cd40bf4e3088c6885389e9e7e178758d91d8
SHA256857a55b2f0f3086759e0a43f7c2c81d37402a267842507bdf5ece7578f7a0c3f
SHA5126865eab61fe81c0833c170ef3e3998586a6bacf1c313b0d199a9c7b1eb7f5f54f2a6609e8ee497b3b61a8e21a25017e653774b4013e886ecf12d627167883281
-
Filesize
716.7MB
MD51d31e37e0afd421d5c453863bccceba8
SHA17c42cd40bf4e3088c6885389e9e7e178758d91d8
SHA256857a55b2f0f3086759e0a43f7c2c81d37402a267842507bdf5ece7578f7a0c3f
SHA5126865eab61fe81c0833c170ef3e3998586a6bacf1c313b0d199a9c7b1eb7f5f54f2a6609e8ee497b3b61a8e21a25017e653774b4013e886ecf12d627167883281