Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
Resource
win10v2004-20230220-en
General
-
Target
21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
-
Size
1.9MB
-
MD5
c8fa0087f27ed56934adf9f106755304
-
SHA1
ae27342a17c8bc32a68f6e68436a6ae380f90ed9
-
SHA256
21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b
-
SHA512
1401f941d8a0e06ef5754e8c2bc36930ffa121fa99759c4b90d031e191a107903a115ad9b2f67d08c6082d3c0850e94ef7cd9b4659264af85ae691ee0d5d8b0d
-
SSDEEP
49152:zWrbeHdtxdC968KLFVvLw5xs0baRMJ1K4yo:zW+Hdt/861LFVLuGkyo
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1072 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1072 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe 28 PID 1316 wrote to memory of 1072 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe 28 PID 1316 wrote to memory of 1072 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe 28 PID 1316 wrote to memory of 1072 1316 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe"C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53.4MB
MD58cc731675812a5775076c1ea7e9a7b2d
SHA1995807d5dc7f9bccc7c6321e1a74f3852c2b83a2
SHA2563bad931e92503fa5f5ceefd5a34840827f1664f30769e29b3be3fa038b05b072
SHA512e6f6c79c3a26eccbaadbcde97521eea9577b74853dbe5592a5b767b33a3c8df0481ee2a73a02c52261b720cc3ae875a5ba75e9032461c74cf53e803d026ab227
-
Filesize
51.5MB
MD5e5ed423fce15631c793b577467d82d24
SHA162fd1e3f245534bb7baed7ab6361d3aea1e848a3
SHA256deada12b4c68f95de0e7e1aebc70c7033c544b4c7e5ce0d53d61112def9f5ea3
SHA51265f7089a5c2d338bab64914037a6757fb1575b4043fad2f516e869337cc8a522e625990a2499d68872c03ac7d867e0a94602c92fd17f3e9651ab2e320dd4d4ba
-
Filesize
49.8MB
MD5d92c17f190c31304670c1c2c1bbdc718
SHA180f16aef0cbc6b49e44c548b6487067885a4ea50
SHA25693a1dc5d27bd7b5a8e223a934bd8b976b0112f5d1e4207ed1b30d56f7163d7ee
SHA5127d831cbc7fd3a42fa2418387b00bbc8c1135d546f32d929a7afc3b2c4bdb4a4bf453542aef43e5dcdea5893b4c67d6b542973dd5b1d0442e177634a8e4e6d17c
-
Filesize
54.1MB
MD5a905f8cf34380f2f8e4371967879f663
SHA124d6d4b5ef6ea09e8aa168068a31fc6c13974b44
SHA256d16f87f748a8559487a593bbc48a77749378a5551c47ac914a1256a2f6190cf7
SHA5121f7966ee3b5b5b9bb4851094998e4eee6559fd8aab0d8d2b3c47903bf8d06e14a01dcc5f170b627b40e8d7bf5f2b487c69922e6e799093d68ad4c48251056237