Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18/03/2023, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
avicapn32.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
avicapn32.exe
Resource
win10v2004-20230220-en
General
-
Target
avicapn32.exe
-
Size
8.6MB
-
MD5
8d7cf73ce0624c89820492186e81268e
-
SHA1
f43f83b11e6e4b850297443a30803f72cef99489
-
SHA256
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
-
SHA512
2bc53e07e6d5d6b4267430011943824590001d8c341a5ccffb2260fc26fa1693d4a146f27a26a579450f822c5998551dfda50814e0b24d4cba8c903ccd8289cd
-
SSDEEP
196608:dCFM0/NuKzJqwRCCuNhH8DuSHVKiPxtgDe/3jyAan7Ftnl+6+GVp7:KMMsA3U4t1HDOAI7T7
Malware Config
Extracted
laplas
http://185.223.93.223
-
api_key
afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1344 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1804 avicapn32.exe 1804 avicapn32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" avicapn32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1804 avicapn32.exe 1804 avicapn32.exe 1344 ntlhost.exe 1344 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1804 avicapn32.exe 1344 ntlhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1804 wrote to memory of 1344 1804 avicapn32.exe 28 PID 1804 wrote to memory of 1344 1804 avicapn32.exe 28 PID 1804 wrote to memory of 1344 1804 avicapn32.exe 28 PID 1804 wrote to memory of 1344 1804 avicapn32.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\avicapn32.exe"C:\Users\Admin\AppData\Local\Temp\avicapn32.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1344
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468.0MB
MD546fe26a8d2fc41726fe7f596b6d9e162
SHA1a7328a357683b02ed31987faca6ed82d42554a64
SHA256099cd8c9bc98fe7dacd017fc7fc7150e9a1ecd60316e2d42fc0718443dd29eb6
SHA5124822cbfeed34669d24c4c59d53a265e232ba8096e1969dc1a3ba2c57790216599ee0e5ddf70b18fcba8bc1c161285307028a0ba6319e9dc01adbb45acf50b820
-
Filesize
493.2MB
MD59fa5a726c02db746a06fe160718218cb
SHA1c62c59d7b066e02eddeac38108abfe085c6ec5f1
SHA25665344b6b0ae35cd01ecce04aeee9db219e02bd1fb4df8d21ab029b41320af703
SHA512891dfd97c08e0a1d25626ebca8015a9aae0c5af21782876d36faf6ed414216aeff5e6f5923702b1c9801dc76efaaf9455eb7db0efa931cc9f252455b18f882c3
-
Filesize
463.7MB
MD5ff4d911c639b36fb7c34d4ebbde4ca99
SHA16f0980e8af95364ad98f50d7542fab87e7666836
SHA256749bc2d74751369b4ee1f99bd2ac06223dbcbfd4e836f756826256b70f6633b2
SHA5126245b9c43891fb3fc14f5f419d73bdb006a3c039d4d9769267ee9968a9b813fafd86b6d6e187c4ba6316377448a42069158d6fe9cc6736d0f0d62a1df389918e
-
Filesize
420.3MB
MD55c10584c3d3842705afa32a500b76f5e
SHA15851ccd77432fd76850b5c34eb75a42b20fd2958
SHA25660b0d99df3d033641ad23529f1a24863f560500e6fb01b587d532a6962219e17
SHA5120d22af8bef6236ff1f318e9c71008fc340aa303af4029493afe2d3bf7919c5a0eae172edca6f578af58a0fdabadf3cccdabe1820c9f48d03a6a71e4fa4d3bf79