Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

tmp.exe

windows7-x64

7

tmp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2023, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    20.5MB

  • MD5

    568963c3941031bac6b0efe3df5676c6

  • SHA1

    3bdd30ae7c9e04b12cf81ed2bbf7055249e61a67

  • SHA256

    cc5681366e3d73afc8fece1a15e9764543148449f7a1eddc9fb7705752c1b342

  • SHA512

    d371d876756578868aaa8ed6f41b7e858e20f0b24256ed5134a2332ce2cb12483f7eb153ee447506e931f74b92a707939a3e54ab2ee1884f1955feaf011422bf

  • SSDEEP

    393216:7RohnkAi/3eCseDV+w5xP9AOgBq0hvc1npNQrfJbCcDitpnz51:7UkbveI+w5xVAORNpNQrhbCi6nz51

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\Windrivex086.exe
      C:\Windows\Windrivex086.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AsyncTask.dll
    Filesize

    73KB

    MD5

    3722f3bbd3b7a1433ef8aca28b3bfba4

    SHA1

    17c9fc0515fead507a5dd4d4778aaf46c1b33ab1

    SHA256

    644711742c67a5a9c49306d5eeac6992e99e44a3d075b555ef5b3aeae507a8e8

    SHA512

    da0c5970b164006dfe4b7b3fc6677a94fe1a80f42df3eae8f3c07df3fc4573889121548aee232b54908a8f3a1592c5026d3618c583d2dcfa34973ef4d07b6c2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Common.dll
    Filesize

    2.4MB

    MD5

    5cff2b2b2c0170352c0771f9b6845cd1

    SHA1

    b3a99ce8ddb3e8526ff5772e5bc0821af5633cc1

    SHA256

    e28ebb5314382c4299126ae49fe9b8ecb5e24681635de9c138fb4db2020430e6

    SHA512

    5391afb463ea7b0f2970455741c535eafc3502406e0a7923b21c62d40767744845b0d6db74a556249d8b9ff81eb764039ceef8229c00e5017d51896869a08336

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E2EECore.2.8.15.dll
    Filesize

    10.1MB

    MD5

    2fdd7abd6b8e3fd9ba425405d88d3340

    SHA1

    4291099d2a18b41a1b1e5fcc3c71bf256cc97ed2

    SHA256

    5ea3a1f359bdfd143c1df71430fb531af8430a0c33080d4907c135c35134b871

    SHA512

    14f78ef5e272cc1b5e53aad8ab27fc66112adfc1dd40ef98a743ad8b052601a9b6006f5e0e77c4a652bc19a08cb6e8fb66275761619677635693378a3ea54805

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GetSign.dll
    Filesize

    732KB

    MD5

    3d15f4128ddfeb0acdfa225dfb27561d

    SHA1

    6b469f93831c5f62bc87edac851b1c82fa322025

    SHA256

    aafcc78bf089491b4910963d7b4e02652f6137d475e09dbd6fbf1339e0c95203

    SHA512

    ebaa89042828814ba0a37cc253815c5930f65875585aacb302eae084f12f82d6f265ea0eb6b9fba0e58084fcb2096b83fbacbb3cb67754b6dbeca5b15a4b62da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PreloginLogic.dll
    Filesize

    1.7MB

    MD5

    53ff44296e596a49b79b36f4d174122d

    SHA1

    b690c4a5e76ca65592a90fc6ee009905180a954f

    SHA256

    9e8cc8087e6b0ea13c95b65b06457f8e710bc768fc3617b18e9b376f44410130

    SHA512

    715cb9ee28983129b7aa7dd0571a081b501e2fd41b1fa54a5b292903038bf6e99812fc316b991de13b5f10ecd2e8c305f16bad6231839897603d22c098374599

    Download Submit

  • C:\Windows\HPSocket4C-SSL.dll
    Filesize

    1.2MB

    MD5

    e7fce4cf867590e674c90b68c6fef1bc

    SHA1

    534c0edd83843ec6c7f4dbbd4847f992879c6526

    SHA256

    a09b369257aa79ba26c53b186977a0659e281b32c1c6ed74b367b4b61ca4a37b

    SHA512

    8cdf23270ca94c4bc61692c6219550e112133d65ee8b0416d23774d3695efa897bbe9713e43dc710a5aed8e9dd44777d4ee02b8043132e6229286c7f61628b77

    Download Submit

  • C:\Windows\Windrivex086.exe
    Filesize

    2.6MB

    MD5

    ea4afc3afe953263adabd1f86d4622d4

    SHA1

    f863869019db8b8102a30421e861606cbda77e6b

    SHA256

    6a84fabd3be5bf5e7dcbdb849fc80dfd1b4807164bf343e2876b0d0286189c73

    SHA512

    e80b7cf4fb7ff4b40186da0a0020a2f04bd126cb6a069ededb054310bb32f3dd6c5c7191fca5a37e0ef4f9758fe6f9fc56f19de35af54febe46acd9344aa0b04

    Download Submit

  • C:\Windows\Windrivex086.exe
    Filesize

    2.6MB

    MD5

    ea4afc3afe953263adabd1f86d4622d4

    SHA1

    f863869019db8b8102a30421e861606cbda77e6b

    SHA256

    6a84fabd3be5bf5e7dcbdb849fc80dfd1b4807164bf343e2876b0d0286189c73

    SHA512

    e80b7cf4fb7ff4b40186da0a0020a2f04bd126cb6a069ededb054310bb32f3dd6c5c7191fca5a37e0ef4f9758fe6f9fc56f19de35af54febe46acd9344aa0b04

    Download Submit

  • memory/808-10-0x0000000006810000-0x0000000006811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/808-15-0x0000000006800000-0x0000000006801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/808-9-0x00000000067F0000-0x00000000067F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/808-8-0x00000000067E0000-0x00000000067E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/808-0-0x0000000000400000-0x000000000494C000-memory.dmp

    Filesize

    69.3MB

    Download

  • memory/808-46-0x0000000007070000-0x0000000007170000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/808-61-0x0000000007070000-0x0000000007170000-memory.dmp

    Filesize

    1024KB

    Download