Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08/02/2023, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
be30ec7ab19bfedb892fde3afb577603.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be30ec7ab19bfedb892fde3afb577603.exe
Resource
win10v2004-20221111-en
General
-
Target
be30ec7ab19bfedb892fde3afb577603.exe
-
Size
1.8MB
-
MD5
be30ec7ab19bfedb892fde3afb577603
-
SHA1
e52f9dea4400166c4f489a5626df0008a6eed818
-
SHA256
b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d
-
SHA512
227460bb3ee54c526a1a99519d7d461db2bd513e291fa6aed26d3cbdb81b79816015a05b1cdd06598dc893267a26311a5646f7c077625c574134d4d856e72afe
-
SSDEEP
49152:FuXEnBSze5817TMBYpenuq5oncZS6K6h8DCM:MEnIwicZS7TC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2036 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1388 be30ec7ab19bfedb892fde3afb577603.exe 1388 be30ec7ab19bfedb892fde3afb577603.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" be30ec7ab19bfedb892fde3afb577603.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2036 1388 be30ec7ab19bfedb892fde3afb577603.exe 28 PID 1388 wrote to memory of 2036 1388 be30ec7ab19bfedb892fde3afb577603.exe 28 PID 1388 wrote to memory of 2036 1388 be30ec7ab19bfedb892fde3afb577603.exe 28 PID 1388 wrote to memory of 2036 1388 be30ec7ab19bfedb892fde3afb577603.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe"C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664.2MB
MD58b28414864806cf051a8291ecb9ee9a8
SHA13d2959d9c70486f99422dee44558a8ca2c9f40b3
SHA2564666dafb67a52e37c14ab3a466c5a865978ee684efea1ccda4dd508c6cfae2f9
SHA51267e6726ee75dbbc0c4bab9cc7d18772a7fa00786550b92b23b05f579ea97782cd2b0b2e0e302dc3147f3b5e115d9743a65dc27681bd5e95c552e857b8f04ebb2
-
Filesize
652.2MB
MD55c4f5184fd5616848b5bdccfcbd55ea9
SHA19e0f42db72c770f476a0a75d0b8bc29f232d6b58
SHA256eb66fc0c02ff447ff472667535d1ab1844e198820d9d08b2e4cc3219f95977ff
SHA51260b1d1a480c6ffdd9b8034947cc1960383af46b8b10f81a1ee0093391f9f4cd399417916c32a3a61a1bed931d4c2013b7801193537fe0a1b52ba12e77d20b575
-
Filesize
659.1MB
MD5781fccc98b943af53f954097db7b1166
SHA1495d04ff3aff128bbf5d2732290d9ec89e141a6e
SHA256d873eadb0dfee25a11a8a0b0ef3bcb8fff6b89f8b58ed533a463fa13fe87adba
SHA512e1af95edca7d17abca87552f79feed8afed5a6b4a995549d0299156486258c538efa049799ababccbe38aef66b9098a75e178999570d001abcb0f1bf6cd773d1