Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

tmp.exe

windows7-x64

7

tmp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2023, 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    2.0MB

  • MD5

    c4377d5563d3c6b6af68a0a103a69c59

  • SHA1

    302a6299b0550510514f26df2d91f88c66248770

  • SHA256

    6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

  • SHA512

    4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8

  • SSDEEP

    49152:cylves1KfQtrRtGHzdyVSNO41wrkQPPAquD+t03T8:tf0ot6pw613Qwq4+t03T8

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    827.0MB

    MD5

    bac50e5cbf1add9756d4b883ca5b9247

    SHA1

    46c593a7dff82d75d4a37be4f5561c68f2cbb0e0

    SHA256

    5d4604e24df7ce74e6db87b968fea5298b8b69da47bafa59d70951d86022f9a9

    SHA512

    066c613cebffcad5812b98511e08449630fdcb051f27282cb484c503c7a9ca1e87b2f77e518b2713961bac737d54a4f6d38c591a52f06fd18028d8a07100e7cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    827.0MB

    MD5

    bac50e5cbf1add9756d4b883ca5b9247

    SHA1

    46c593a7dff82d75d4a37be4f5561c68f2cbb0e0

    SHA256

    5d4604e24df7ce74e6db87b968fea5298b8b69da47bafa59d70951d86022f9a9

    SHA512

    066c613cebffcad5812b98511e08449630fdcb051f27282cb484c503c7a9ca1e87b2f77e518b2713961bac737d54a4f6d38c591a52f06fd18028d8a07100e7cf

    Download Submit

  • memory/1812-132-0x0000000002675000-0x000000000281F000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1812-133-0x0000000002820000-0x0000000002BF0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1812-134-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1812-138-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2076-139-0x0000000002370000-0x000000000251A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2076-140-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2076-141-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download