Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2023, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
conhost.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
conhost.exe
Resource
win10v2004-20230220-en
General
-
Target
conhost.exe
-
Size
4.0MB
-
MD5
feccda803ece2e7a3b7e9798714ad47e
-
SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
-
SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
-
SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287
-
SSDEEP
49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe
Malware Config
Extracted
laplas
http://185.223.93.251
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1716 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 conhost.exe 2024 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" conhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1716 2024 conhost.exe 28 PID 2024 wrote to memory of 1716 2024 conhost.exe 28 PID 2024 wrote to memory of 1716 2024 conhost.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1716
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531.6MB
MD5eda06e99d629aaa4aba1599b37a26a0a
SHA19dd085c95c8c4b348fafc04c5aafc863dbab2dff
SHA256c51d9cea110ff23e8bc9507ff953262376102c19653a745cb7ce8102c58e58d1
SHA512b4c7bdb7d49a27050f2dce5d090604d4920efcaa5810c02e4eb2c52b54733dc15de085bb1939740e5bf6381ff7cf7b99e0b0b83c28bbeb6537f3d31822dfdecf
-
Filesize
395.6MB
MD51396707e1808a73baba8cde89f753de1
SHA1afb3414f447ef994eda60790132150da04ec752a
SHA25603505deec99793c062339374a6391e23787aced80f9523bcf1eda334fc9b9206
SHA5126f89170c57dc7008302438d4621161d7b098c8ccc5fb2f7e8bbf750d7b537dc34b84c0bfa33b8d31753f399cf2c60a08f99df9a8359dddb6b95478d8918f3007
-
Filesize
387.4MB
MD513709acb722c8a9d0514e074164a9c34
SHA1a39c011ec44d663745a976a89afacca22db8672a
SHA2569fd3d8d5f8b91144039a524c1d849e94406d9c82c6c623f55ee2870adae85747
SHA5126bc3e4af210102e7f3607c704b32d64da505fcd3a0363ab7582ec9e9c3f2dceaa85172a92ad619894b3af6dea82c08154e23a33c208e06832a00cae6f10f3940