Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

943543daaa...7f.exe

windows7-x64

7

943543daaa...7f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    943543daaa321ea04b8002ca12102484e06d3dbd912d67fe93ada07379838f7f.exe

  • Size

    4.9MB

  • MD5

    b9d71891e236be1aeed9b9a6a99dc8ce

  • SHA1

    0c82d8368887478652c3d1049b6c211ba51b235c

  • SHA256

    943543daaa321ea04b8002ca12102484e06d3dbd912d67fe93ada07379838f7f

  • SHA512

    f8559c3392701a063e59444f916a971baf4a9691925f8b368d1906f249e9fbe458af573b80d4d311ff3e47d849b5d1a88ee9e1fdec16afd34eaeb1faaf3a6a3f

  • SSDEEP

    98304:gu0gmbyldTpymEiaWIfx73bSl8GBUkMJpHTYYdVY7vM16E3GqlfiTv:f0gxv1ENLLSaGekwTYYdiZE3GqlE

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\943543daaa321ea04b8002ca12102484e06d3dbd912d67fe93ada07379838f7f.exe
    "C:\Users\Admin\AppData\Local\Temp\943543daaa321ea04b8002ca12102484e06d3dbd912d67fe93ada07379838f7f.exe"
    1⤵
    • Checks BIOS information in registry
    • Writes to the Master Boot Record (MBR)
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop Spooler
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\net.exe
        net stop Spooler
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop Spooler
          4⤵
            PID:3828

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2180-133-0x00000000007C0000-0x00000000007C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-134-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download