Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2023, 11:50

General

  • Target

    7c9ae9ccfe7eac83b4ddddd9cc01212d.exe

  • Size

    1.7MB

  • MD5

    7c9ae9ccfe7eac83b4ddddd9cc01212d

  • SHA1

    bb07847d73cd18caee230b59c8077915c091a9b4

  • SHA256

    a71bf0c058f1e499400fc4d75dbb5bed6a90526cbc7597317b702f20c464c7bb

  • SHA512

    5444e38b75725d20d92f4b0a0f362162d53b4f7a084d8e3aac81c26d7c3b7e1d934fed5fb39a6f00162fe9be63c72b881480b677100095b79a9514689a0b98c8

  • SSDEEP

    49152:sMAaOSOOSjiNN+x3Oj1UMXg6iVTC6YLElQItj3kiU:7tQiT+x6eTQe3XU

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9ae9ccfe7eac83b4ddddd9cc01212d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    716.7MB

    MD5

    1d31e37e0afd421d5c453863bccceba8

    SHA1

    7c42cd40bf4e3088c6885389e9e7e178758d91d8

    SHA256

    857a55b2f0f3086759e0a43f7c2c81d37402a267842507bdf5ece7578f7a0c3f

    SHA512

    6865eab61fe81c0833c170ef3e3998586a6bacf1c313b0d199a9c7b1eb7f5f54f2a6609e8ee497b3b61a8e21a25017e653774b4013e886ecf12d627167883281

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    716.7MB

    MD5

    1d31e37e0afd421d5c453863bccceba8

    SHA1

    7c42cd40bf4e3088c6885389e9e7e178758d91d8

    SHA256

    857a55b2f0f3086759e0a43f7c2c81d37402a267842507bdf5ece7578f7a0c3f

    SHA512

    6865eab61fe81c0833c170ef3e3998586a6bacf1c313b0d199a9c7b1eb7f5f54f2a6609e8ee497b3b61a8e21a25017e653774b4013e886ecf12d627167883281

  • memory/764-132-0x000000000293E000-0x0000000002AE8000-memory.dmp

    Filesize

    1.7MB

  • memory/764-133-0x0000000002AF0000-0x0000000002EC0000-memory.dmp

    Filesize

    3.8MB

  • memory/764-134-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/764-138-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/2136-139-0x0000000002574000-0x000000000271E000-memory.dmp

    Filesize

    1.7MB

  • memory/2136-140-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/2136-141-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB