Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    42s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 01:15

General

  • Target

    be30ec7ab19bfedb892fde3afb577603.exe

  • Size

    1.8MB

  • MD5

    be30ec7ab19bfedb892fde3afb577603

  • SHA1

    e52f9dea4400166c4f489a5626df0008a6eed818

  • SHA256

    b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d

  • SHA512

    227460bb3ee54c526a1a99519d7d461db2bd513e291fa6aed26d3cbdb81b79816015a05b1cdd06598dc893267a26311a5646f7c077625c574134d4d856e72afe

  • SSDEEP

    49152:FuXEnBSze5817TMBYpenuq5oncZS6K6h8DCM:MEnIwicZS7TC

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe
    "C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    664.2MB

    MD5

    8b28414864806cf051a8291ecb9ee9a8

    SHA1

    3d2959d9c70486f99422dee44558a8ca2c9f40b3

    SHA256

    4666dafb67a52e37c14ab3a466c5a865978ee684efea1ccda4dd508c6cfae2f9

    SHA512

    67e6726ee75dbbc0c4bab9cc7d18772a7fa00786550b92b23b05f579ea97782cd2b0b2e0e302dc3147f3b5e115d9743a65dc27681bd5e95c552e857b8f04ebb2

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    652.2MB

    MD5

    5c4f5184fd5616848b5bdccfcbd55ea9

    SHA1

    9e0f42db72c770f476a0a75d0b8bc29f232d6b58

    SHA256

    eb66fc0c02ff447ff472667535d1ab1844e198820d9d08b2e4cc3219f95977ff

    SHA512

    60b1d1a480c6ffdd9b8034947cc1960383af46b8b10f81a1ee0093391f9f4cd399417916c32a3a61a1bed931d4c2013b7801193537fe0a1b52ba12e77d20b575

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    659.1MB

    MD5

    781fccc98b943af53f954097db7b1166

    SHA1

    495d04ff3aff128bbf5d2732290d9ec89e141a6e

    SHA256

    d873eadb0dfee25a11a8a0b0ef3bcb8fff6b89f8b58ed533a463fa13fe87adba

    SHA512

    e1af95edca7d17abca87552f79feed8afed5a6b4a995549d0299156486258c538efa049799ababccbe38aef66b9098a75e178999570d001abcb0f1bf6cd773d1

  • memory/1388-57-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/1388-54-0x0000000002300000-0x00000000024AA000-memory.dmp

    Filesize

    1.7MB

  • memory/1388-56-0x00000000024B0000-0x0000000002880000-memory.dmp

    Filesize

    3.8MB

  • memory/1388-55-0x0000000002300000-0x00000000024AA000-memory.dmp

    Filesize

    1.7MB

  • memory/1388-62-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/2036-63-0x00000000020C0000-0x000000000226A000-memory.dmp

    Filesize

    1.7MB

  • memory/2036-64-0x00000000020C0000-0x000000000226A000-memory.dmp

    Filesize

    1.7MB

  • memory/2036-65-0x0000000002270000-0x0000000002640000-memory.dmp

    Filesize

    3.8MB

  • memory/2036-66-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

  • memory/2036-67-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB