Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
23/06/2023, 07:43
Static task
static1
Behavioral task
behavioral1
Sample
08732699.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
08732699.exe
Resource
win10v2004-20230621-en
General
-
Target
08732699.exe
-
Size
4.0MB
-
MD5
d076c4b5f5c42b44d583c534f78adbe7
-
SHA1
c35478e67d490145520be73277cd72cd4e837090
-
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
-
SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
SSDEEP
49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe
Malware Config
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1284 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1788 08732699.exe 1788 08732699.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 08732699.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1284 1788 08732699.exe 26 PID 1788 wrote to memory of 1284 1788 08732699.exe 26 PID 1788 wrote to memory of 1284 1788 08732699.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\08732699.exe"C:\Users\Admin\AppData\Local\Temp\08732699.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1284
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660.6MB
MD5db538511d2f5c4f73b1880699b43f713
SHA116ceae602ecff67bb23d4b094bf14819b9575cc4
SHA256d4277e800baf7a3f2b823e9b340e23fd8c575edcf5cb7bb36024d8f642034482
SHA5127262aaf007e55e3c86fce2c3eb38c8ffb09fe622da1000144cd9aed8e4636d03fa270cfb9e345b90f920a95923f6365e3e56d8e97b87a8b24d0b117b9cb39e65
-
Filesize
682.9MB
MD5927b596e89af77d91b435fa10bc60bb6
SHA118fc323a054b4171f0cd2931cdc644de2bcb26ff
SHA256b698f01f026ea7427b075d06f1875fefe647d06406fb86732a799d7a76ab2cd6
SHA5123a2910a594a1cf5cbf5d1fef09e9d14d92b64dea795e563b1379146cf1109ffc857a66cab49b73026d4c2a415f7746617b8ba57e263e1ad6cd1942d52c283116
-
Filesize
693.9MB
MD57445dd75574c3a994286ad1c550babc1
SHA169f63348296ec330dc8612922fd3c40ba6f2de8f
SHA2564070e022afdffe50146c7fa440710b1c804396ea8ab86d93957c4826f4b6c09e
SHA512778e0f0ba5f4daebe37031cdc3effc5dd8776915f33ea852e757e7941f7df85ff24f97d42c8e9a31c5d6f16d95e7c2a69dcbe4d545248e57109a655ac067340e