Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

tmp.exe

windows7-x64

7

tmp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2023, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    20.5MB

  • MD5

    568963c3941031bac6b0efe3df5676c6

  • SHA1

    3bdd30ae7c9e04b12cf81ed2bbf7055249e61a67

  • SHA256

    cc5681366e3d73afc8fece1a15e9764543148449f7a1eddc9fb7705752c1b342

  • SHA512

    d371d876756578868aaa8ed6f41b7e858e20f0b24256ed5134a2332ce2cb12483f7eb153ee447506e931f74b92a707939a3e54ab2ee1884f1955feaf011422bf

  • SSDEEP

    393216:7RohnkAi/3eCseDV+w5xP9AOgBq0hvc1npNQrfJbCcDitpnz51:7UkbveI+w5xVAORNpNQrhbCi6nz51

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\Windrivex086.exe
      C:\Windows\Windrivex086.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Windrivex086.exe
    Filesize

    2.6MB

    MD5

    ea4afc3afe953263adabd1f86d4622d4

    SHA1

    f863869019db8b8102a30421e861606cbda77e6b

    SHA256

    6a84fabd3be5bf5e7dcbdb849fc80dfd1b4807164bf343e2876b0d0286189c73

    SHA512

    e80b7cf4fb7ff4b40186da0a0020a2f04bd126cb6a069ededb054310bb32f3dd6c5c7191fca5a37e0ef4f9758fe6f9fc56f19de35af54febe46acd9344aa0b04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AsyncTask.dll
    Filesize

    73KB

    MD5

    3722f3bbd3b7a1433ef8aca28b3bfba4

    SHA1

    17c9fc0515fead507a5dd4d4778aaf46c1b33ab1

    SHA256

    644711742c67a5a9c49306d5eeac6992e99e44a3d075b555ef5b3aeae507a8e8

    SHA512

    da0c5970b164006dfe4b7b3fc6677a94fe1a80f42df3eae8f3c07df3fc4573889121548aee232b54908a8f3a1592c5026d3618c583d2dcfa34973ef4d07b6c2b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Common.dll
    Filesize

    2.4MB

    MD5

    5cff2b2b2c0170352c0771f9b6845cd1

    SHA1

    b3a99ce8ddb3e8526ff5772e5bc0821af5633cc1

    SHA256

    e28ebb5314382c4299126ae49fe9b8ecb5e24681635de9c138fb4db2020430e6

    SHA512

    5391afb463ea7b0f2970455741c535eafc3502406e0a7923b21c62d40767744845b0d6db74a556249d8b9ff81eb764039ceef8229c00e5017d51896869a08336

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E2EECore.2.8.15.dll
    Filesize

    10.1MB

    MD5

    2fdd7abd6b8e3fd9ba425405d88d3340

    SHA1

    4291099d2a18b41a1b1e5fcc3c71bf256cc97ed2

    SHA256

    5ea3a1f359bdfd143c1df71430fb531af8430a0c33080d4907c135c35134b871

    SHA512

    14f78ef5e272cc1b5e53aad8ab27fc66112adfc1dd40ef98a743ad8b052601a9b6006f5e0e77c4a652bc19a08cb6e8fb66275761619677635693378a3ea54805

    Download Submit

  • \Users\Admin\AppData\Local\Temp\GetSign.dll
    Filesize

    732KB

    MD5

    3d15f4128ddfeb0acdfa225dfb27561d

    SHA1

    6b469f93831c5f62bc87edac851b1c82fa322025

    SHA256

    aafcc78bf089491b4910963d7b4e02652f6137d475e09dbd6fbf1339e0c95203

    SHA512

    ebaa89042828814ba0a37cc253815c5930f65875585aacb302eae084f12f82d6f265ea0eb6b9fba0e58084fcb2096b83fbacbb3cb67754b6dbeca5b15a4b62da

    Download Submit

  • \Users\Admin\AppData\Local\Temp\PreloginLogic.dll
    Filesize

    1.7MB

    MD5

    53ff44296e596a49b79b36f4d174122d

    SHA1

    b690c4a5e76ca65592a90fc6ee009905180a954f

    SHA256

    9e8cc8087e6b0ea13c95b65b06457f8e710bc768fc3617b18e9b376f44410130

    SHA512

    715cb9ee28983129b7aa7dd0571a081b501e2fd41b1fa54a5b292903038bf6e99812fc316b991de13b5f10ecd2e8c305f16bad6231839897603d22c098374599

    Download Submit

  • memory/2584-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-8-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-0-0x0000000000400000-0x000000000494C000-memory.dmp

    Filesize

    69.3MB

    Download

  • memory/2584-41-0x0000000006900000-0x0000000006A00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2584-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-56-0x0000000006900000-0x0000000006A00000-memory.dmp

    Filesize

    1024KB

    Download