Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/06/2023, 10:30
Behavioral task
behavioral1
Sample
TSD.exe
Resource
win7-20230220-en
General
-
Target
TSD.exe
-
Size
649KB
-
MD5
2574234ccd8503284e9d4d910e39e132
-
SHA1
aa7943ef2c8979d4daf653b056649a5dff0718c0
-
SHA256
8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
-
SHA512
e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7
-
SSDEEP
12288:B6UaeOpx41/an46A9jmP/uhu/yMS08CkntxYRML:kLeza4fmP/UDMS08Ckn3z
Malware Config
Extracted
kutaki
http://linkwotowoto.club/new/two.php
Signatures
-
Kutaki Executable 4 IoCs
resource yara_rule behavioral1/files/0x000800000001472f-62.dat family_kutaki behavioral1/files/0x000800000001472f-60.dat family_kutaki behavioral1/files/0x000800000001472f-58.dat family_kutaki behavioral1/files/0x000800000001472f-64.dat family_kutaki -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe TSD.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe TSD.exe -
Executes dropped EXE 1 IoCs
pid Process 760 puonqefk.exe -
Loads dropped DLL 2 IoCs
pid Process 1948 TSD.exe 1948 TSD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1580 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1948 TSD.exe 1948 TSD.exe 1948 TSD.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe 760 puonqefk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1428 1948 TSD.exe 28 PID 1948 wrote to memory of 1428 1948 TSD.exe 28 PID 1948 wrote to memory of 1428 1948 TSD.exe 28 PID 1948 wrote to memory of 1428 1948 TSD.exe 28 PID 1948 wrote to memory of 760 1948 TSD.exe 30 PID 1948 wrote to memory of 760 1948 TSD.exe 30 PID 1948 wrote to memory of 760 1948 TSD.exe 30 PID 1948 wrote to memory of 760 1948 TSD.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\TSD.exe"C:\Users\Admin\AppData\Local\Temp\TSD.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp2⤵PID:1428
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD52574234ccd8503284e9d4d910e39e132
SHA1aa7943ef2c8979d4daf653b056649a5dff0718c0
SHA2568be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
SHA512e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7
-
Filesize
649KB
MD52574234ccd8503284e9d4d910e39e132
SHA1aa7943ef2c8979d4daf653b056649a5dff0718c0
SHA2568be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
SHA512e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7
-
Filesize
649KB
MD52574234ccd8503284e9d4d910e39e132
SHA1aa7943ef2c8979d4daf653b056649a5dff0718c0
SHA2568be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
SHA512e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7
-
Filesize
649KB
MD52574234ccd8503284e9d4d910e39e132
SHA1aa7943ef2c8979d4daf653b056649a5dff0718c0
SHA2568be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
SHA512e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7