Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2023, 17:22 UTC

General

  • Target

    2023-08-27_361ea8209630ea1fc1e212ce23ee9b27_magniber_JC.exe

  • Size

    23.2MB

  • MD5

    361ea8209630ea1fc1e212ce23ee9b27

  • SHA1

    8e8272f9890226e0bd28dbfb6e28eb335dfd57aa

  • SHA256

    0a11f0af4b75f972200c636beebf476aaeabed96f77e8bfce49c73ed86239e74

  • SHA512

    14a96e52fa60ab33700f82a0c8a5979c25706391d982f4ac975be11921a2b9b00d47b80610078e976d21f3188accb6e6a613af480f856669cf71a238d8862b40

  • SSDEEP

    196608:lBY376DEtUmaIsqY4tdqYrKcxos1+11dFY9IPqYZvUqYneXmzWLy3TXsUkKneBSq:HY376DCYie4kTxz7lydH0GB4I+v/Sa

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 30 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-27_361ea8209630ea1fc1e212ce23ee9b27_magniber_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-27_361ea8209630ea1fc1e212ce23ee9b27_magniber_JC.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\AMBmpRecorder.ax"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AMBmpRecorder.ax

    Filesize

    1.4MB

    MD5

    effc110606c472ae3bcd245ffc988749

    SHA1

    519e6ec1908adf2dc02f6fcbfbd6f552de7b70e2

    SHA256

    b6f60f30f91f425aec30d2b67ec958939857bdf170afc14ebb0efeaed06202d7

    SHA512

    6df5d4d9927c279f1c15e03ff56e893108b29089e576ab2abceaf2400189136df6d2faac2e594307bb18c64400fd247007779bbc6d0e5c11f8d914e871133d56

  • C:\Users\Admin\AppData\Local\Temp\ANYmazeLog.txt

    Filesize

    6KB

    MD5

    00724a42d9b9dd736bb3a63bc0b3dd22

    SHA1

    b6e766cd72ab70bbed7a3dac0558883e9b5dab73

    SHA256

    68ef128fd3e493cb3f2adf1fd6f67f65a5612332568db2f26ad6afeba00050b5

    SHA512

    c0627783d45b8515bce068c1670a242ae9ac4a0153ede494dea9e13553c085b29545df72197f752e23ebdf89137e3145ed01d83678a0b31d746500f081e0de13

  • \Users\Admin\AppData\Local\Temp\AMBmpRecorder.ax

    Filesize

    1.4MB

    MD5

    effc110606c472ae3bcd245ffc988749

    SHA1

    519e6ec1908adf2dc02f6fcbfbd6f552de7b70e2

    SHA256

    b6f60f30f91f425aec30d2b67ec958939857bdf170afc14ebb0efeaed06202d7

    SHA512

    6df5d4d9927c279f1c15e03ff56e893108b29089e576ab2abceaf2400189136df6d2faac2e594307bb18c64400fd247007779bbc6d0e5c11f8d914e871133d56

  • \Users\Admin\AppData\Local\Temp\AMBmpRecorder.ax

    Filesize

    1.4MB

    MD5

    effc110606c472ae3bcd245ffc988749

    SHA1

    519e6ec1908adf2dc02f6fcbfbd6f552de7b70e2

    SHA256

    b6f60f30f91f425aec30d2b67ec958939857bdf170afc14ebb0efeaed06202d7

    SHA512

    6df5d4d9927c279f1c15e03ff56e893108b29089e576ab2abceaf2400189136df6d2faac2e594307bb18c64400fd247007779bbc6d0e5c11f8d914e871133d56

  • memory/2408-15-0x00000000035B0000-0x00000000035B1000-memory.dmp

    Filesize

    4KB

  • memory/2408-27-0x00000000035B0000-0x00000000035B1000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.