Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/05/2023, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
conhost.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
conhost.exe
Resource
win10v2004-20230220-en
General
-
Target
conhost.exe
-
Size
4.0MB
-
MD5
feccda803ece2e7a3b7e9798714ad47e
-
SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
-
SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
-
SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287
-
SSDEEP
49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe
Malware Config
Extracted
laplas
http://185.223.93.251
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 932 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1536 conhost.exe 1536 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" conhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1536 wrote to memory of 932 1536 conhost.exe 28 PID 1536 wrote to memory of 932 1536 conhost.exe 28 PID 1536 wrote to memory of 932 1536 conhost.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:932
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
785.0MB
MD5249b458562611a18080e282d3edeb386
SHA18a5a652f0a00dbf9eb02afb5916f09c5049a46a3
SHA2564a985ef5933150afdfe2ce544ad48513b9c3685504d4076dea021f15ca18bbd1
SHA5122df759290e4b16971c58a37a1cdad54f7b41ddeb3d5ed5b897ca910fd44da1cd9d30c259b9be481e7d06f4959fcd1c6aad4fbd052fc7157c153331fe7d550c4e
-
Filesize
610.6MB
MD52e351ff581f055ef658cef81721187b8
SHA12b622206e1bd2d5d092e33007ffc8f915a5397de
SHA256e71c1f9a9d923a047a9b26b93ced5071ab14e788d103a1c74538e26e082a1751
SHA512b89b8672d2804c53967655a534cdb5b124e0f43a82b1fae2fabc566870c7fd7f5b0980b5ad709d5a457ac9c27e896e0cba6f8d13201acb09e0cdb7edfae50a4f
-
Filesize
627.5MB
MD5c1f285f388bd81083995fd628bae74d5
SHA16af1176466904f6c7d7d2b3c40e7544f6215bf97
SHA2569d308e5cc79784485eb5b73da54995bbb4dd3aa0d5b218f48a240de26c1ea087
SHA5121b8453d1118ec630700b88d7d51e7e1003f2a1b70c3541b4df7d45b43db8ec6af5ecd53c41cf5cbf20e62eb8956c198b0b7fa466190b61f694a73d67c251b9f3