Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2023, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
conhost.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
conhost.exe
Resource
win10v2004-20230220-en
General
-
Target
conhost.exe
-
Size
4.0MB
-
MD5
feccda803ece2e7a3b7e9798714ad47e
-
SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
-
SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
-
SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287
-
SSDEEP
49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe
Malware Config
Extracted
laplas
http://185.223.93.251
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1692 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 conhost.exe 1732 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" conhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1692 1732 conhost.exe 28 PID 1732 wrote to memory of 1692 1732 conhost.exe 28 PID 1732 wrote to memory of 1692 1732 conhost.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1692
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635.7MB
MD50ade6a9a814795beb306f046ceb1cee3
SHA166d4f1bc791905e470ca6d4ad5720f750f3c5db5
SHA2563386ff049acb40d024c6a02d353d7e469cd588b1b2775f904f2a00809e2d39db
SHA5128e40da528c360ce6db8af0c704ea1ae827497775377b2a3bdc103d808d7632a48a56691dc7ac0cf840200ce8865522761decc9b40e95b239327bd12c8508fe5f
-
Filesize
615.4MB
MD51d34db81fd4c252563dd54bb18f3b8f3
SHA18ce38d9c3ac23b8ac45a98b5b77b3db8c939eb01
SHA2564caed76142ce26b44ebcc68a54a18b905ddf5cf8956b609c986b3473fe4448f7
SHA512ab95a8d1603416d58308cb4f3429716e6db0731de2b3d649a93ff9102589541ff5220c599e38abcd4064bcac050d2fd935680ebebd9f0650147f229092b5e89e
-
Filesize
515.3MB
MD5c9b918de28525de86bed9b2a40555b32
SHA11da4a6b226334a6d4af210440ee3216f77982134
SHA25696abbfc4c1bf5ac3c9fe3129658020ad757ba617b158f3996f9168542be1749e
SHA5122ce3732e5c415b72d20172e47ed965507ba43a745afd610ca9b1f1cf26c35dd7981dc5a25d147dc7cd2d3df5a9c8a4d1d3db53488748bb442460daef183cce79