Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    224s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2023, 20:22

General

  • Target

    Lan Adaptor/CH9152DRV/PSetup.exe

  • Size

    6KB

  • MD5

    bc0b5f20a2dd4e96084d7604cdb6aec5

  • SHA1

    c78246bbd5fd00ae6b0b867d9be7a76cdc70d075

  • SHA256

    a290256623a01ed19f5b05f45017e3cadac2e246476f86ac08bd61d8fcc4fb2d

  • SHA512

    684a765ba893a41b847c60b1cd5e2e4d6836a506af6ea8782256432065e9b509934edaa345becfb4702dbe88cfc16d8b2bbea189c264355fc5713137ea724ae0

  • SSDEEP

    96:tDqqr/Z8l9fgmuTV9TexmtIAKyPtboynh0GFQ+xX+vqp:tDqeZ8l9fg/TzIALP1oynhbQ23

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 7 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lan Adaptor\CH9152DRV\PSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Lan Adaptor\CH9152DRV\PSetup.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2080
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3dcc336d-6d0f-2594-3829-3c460faf901a}\WCHUSBNIC.INF" "9" "6edb606f7" "0000000000000564" "WinSta0\Default" "00000000000004C4" "208" "C:\Users\Admin\AppData\Local\Temp\Lan Adaptor\CH9152DRV"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{76f1c763-2ef0-67ee-2922-3b6f72b91e2c} Global\{09736cc3-e957-18e1-203d-6004630aa535} C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\WCHUSBNIC.INF C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\WCHUSBNIC.CAT
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2976
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E4" "0000000000000584"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2020
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1736

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\{3DCC3~1\WCHUSBNICA64.sys

      Filesize

      59KB

      MD5

      a41beaa61247e9864ab666025c820d1b

      SHA1

      57b29779767a6d7dd180514be84285489b43e42b

      SHA256

      f7740bd11e8c6688c7142fb8ded05197f38feef249cbc33434ffbc83925ef4c5

      SHA512

      518401a96ab52ffcc63c06a2e392ef4ba4bf516bdd43ee3de05b611b71932b33f08e24619ec8f9664fd040ce3cbdf82fe0b19800220869dfc599806b5de83c81

    • C:\Users\Admin\AppData\Local\Temp\{3dcc336d-6d0f-2594-3829-3c460faf901a}\WCHUSBNIC.CAT

      Filesize

      12KB

      MD5

      e673c56519d4a7dacb6234355e9c017b

      SHA1

      cf4b61c6808c11ef1d4b2d0a0f2ac4e5a50ceb51

      SHA256

      30c19a3e7e65b79646ccc479b1a54d1b2e17058bea90a59c8e8ced4522c1f3ae

      SHA512

      1a0867a5bfa3219da4ca5f4e6de3dd2e5a1b2435dbaf78847f62a700bf5e3dc80d1cc07e02c9856ee627817bc3a39e47e801d2293275afc11c0708d6e9426007

    • C:\Users\Admin\AppData\Local\Temp\{3dcc336d-6d0f-2594-3829-3c460faf901a}\WCHUSBNIC.INF

      Filesize

      15KB

      MD5

      da8885e49970cb971221ac59d0234ac3

      SHA1

      c6ab9b14d5e69aee4427d517897b66d8a5293987

      SHA256

      b790b2442ab3a40d87247d9d70e37220f8914075d4af300afbb725159ab830ee

      SHA512

      5dbd3f3c248f10125dec7485f796d70864bf314d52f1d2ef3438c893e6a4e5fda35aee9eede7fe6bb40107d48e037a7e14740974546f9620c0aa52478efbe5c4

    • C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\SETCC44.tmp

      Filesize

      59KB

      MD5

      a41beaa61247e9864ab666025c820d1b

      SHA1

      57b29779767a6d7dd180514be84285489b43e42b

      SHA256

      f7740bd11e8c6688c7142fb8ded05197f38feef249cbc33434ffbc83925ef4c5

      SHA512

      518401a96ab52ffcc63c06a2e392ef4ba4bf516bdd43ee3de05b611b71932b33f08e24619ec8f9664fd040ce3cbdf82fe0b19800220869dfc599806b5de83c81

    • C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\SETCC55.tmp

      Filesize

      12KB

      MD5

      e673c56519d4a7dacb6234355e9c017b

      SHA1

      cf4b61c6808c11ef1d4b2d0a0f2ac4e5a50ceb51

      SHA256

      30c19a3e7e65b79646ccc479b1a54d1b2e17058bea90a59c8e8ced4522c1f3ae

      SHA512

      1a0867a5bfa3219da4ca5f4e6de3dd2e5a1b2435dbaf78847f62a700bf5e3dc80d1cc07e02c9856ee627817bc3a39e47e801d2293275afc11c0708d6e9426007

    • C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\SETCC65.tmp

      Filesize

      15KB

      MD5

      da8885e49970cb971221ac59d0234ac3

      SHA1

      c6ab9b14d5e69aee4427d517897b66d8a5293987

      SHA256

      b790b2442ab3a40d87247d9d70e37220f8914075d4af300afbb725159ab830ee

      SHA512

      5dbd3f3c248f10125dec7485f796d70864bf314d52f1d2ef3438c893e6a4e5fda35aee9eede7fe6bb40107d48e037a7e14740974546f9620c0aa52478efbe5c4

    • C:\Windows\System32\DriverStore\Temp\{65d6f5b9-ca72-66b8-10f5-3764483de001}\WCHUSBNIC.INF

      Filesize

      15KB

      MD5

      da8885e49970cb971221ac59d0234ac3

      SHA1

      c6ab9b14d5e69aee4427d517897b66d8a5293987

      SHA256

      b790b2442ab3a40d87247d9d70e37220f8914075d4af300afbb725159ab830ee

      SHA512

      5dbd3f3c248f10125dec7485f796d70864bf314d52f1d2ef3438c893e6a4e5fda35aee9eede7fe6bb40107d48e037a7e14740974546f9620c0aa52478efbe5c4

    • C:\Windows\Temp\CabCD21.tmp

      Filesize

      29KB

      MD5

      d59a6b36c5a94916241a3ead50222b6f

      SHA1

      e274e9486d318c383bc4b9812844ba56f0cff3c6

      SHA256

      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

      SHA512

      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

    • C:\Windows\Temp\TarCD72.tmp

      Filesize

      81KB

      MD5

      b13f51572f55a2d31ed9f266d581e9ea

      SHA1

      7eef3111b878e159e520f34410ad87adecf0ca92

      SHA256

      725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

      SHA512

      f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

    • memory/2156-176-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

    • memory/2156-177-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB