Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
14/11/2023, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe
Resource
win7-20231023-en
General
-
Target
72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe
-
Size
304KB
-
MD5
b728c2840a02568443366cf9d31b4e79
-
SHA1
290262cf698471ac7a25c002cc5e32c45343354a
-
SHA256
72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948
-
SHA512
663f58c57f7fb01fec32c6a7f72742edf45c37f4e12caef7def07e504d1aefcf51d873fc28682161a0affbcf536f40e967049f84a6376f33cb1e1c77f0be9de5
-
SSDEEP
6144:vIMnCyxDUQyNjIY6UAik3W6EoXJAOueOef5SG4X9Wx+8tCNyY:1C2U3Nj56Jik3n5EeOK8Mx+8kNH
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NNAuq9qN.exe -
Downloads MZ/PE file
-
Modifies RDP port number used by Windows 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2724 NNAuq9qN.exe -
Loads dropped DLL 4 IoCs
pid Process 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe -
resource yara_rule behavioral1/files/0x0007000000016057-14.dat upx behavioral1/files/0x0007000000016057-16.dat upx behavioral1/files/0x0007000000016057-19.dat upx behavioral1/files/0x0007000000016057-24.dat upx behavioral1/files/0x0007000000016057-22.dat upx behavioral1/files/0x0007000000016057-26.dat upx behavioral1/memory/2724-27-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral1/files/0x0007000000016057-60.dat upx behavioral1/memory/2724-68-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2864 2872 WerFault.exe 27 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NNAuq9qN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz NNAuq9qN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2724 NNAuq9qN.exe 2724 NNAuq9qN.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2724 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 29 PID 2872 wrote to memory of 2864 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 30 PID 2872 wrote to memory of 2864 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 30 PID 2872 wrote to memory of 2864 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 30 PID 2872 wrote to memory of 2864 2872 72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe 30 PID 2724 wrote to memory of 2852 2724 NNAuq9qN.exe 31 PID 2724 wrote to memory of 2852 2724 NNAuq9qN.exe 31 PID 2724 wrote to memory of 2852 2724 NNAuq9qN.exe 31 PID 2724 wrote to memory of 2852 2724 NNAuq9qN.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NNAuq9qN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe"C:\Users\Admin\AppData\Local\Temp\72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Public\Pictures\ez5OSQD\NNAuq9qN.exe"C:\Users\Public\Pictures\ez5OSQD\NNAuq9qN.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\SysWOW64\cmd.execmd /c echo.>c:\xxxx.ini3⤵PID:2852
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 5362⤵
- Program crash
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5e39405e85e09f64ccde0f59392317dd3
SHA19c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA5126733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a
-
Filesize
36KB
MD5f6bf82a293b69aa5b47d4e2de305d45a
SHA14948716616d4bbe68be2b4c5bf95350402d3f96f
SHA2566a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0
SHA512edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa
-
Filesize
358KB
MD524f4a0fc7281a12718df15afc127f873
SHA1d10f654cd9c290f6140b95eb4abfd3c1edb6353a
SHA2562db2ecc570eb59c6f17af1b53dafc8b29343dc1e11ab98b6c609510b910f2893
SHA5120c72125bce6fe0e4db27f219392b5abaa47c65d5e9ccbfd6f4d6851fda67f14f5bcf39afa055f95a544e14532638f21107be2b391ee0a8a489f9cbdbcbe2d5a4
-
Filesize
132KB
MD582fa355edf0e1da3f65b198ba6252205
SHA178cc8de053a0860096a2434b663f7122a381c4ed
SHA256f48d94278dd3a37609cd57f7727f102f32a301540631adc0126ea2e844f86b0b
SHA512bf1b2ed4ad2c9894d6a3371958f642b7b83c95dc148233f94956fe83300da5fc3f13ff9108719b1414e12992c61226e602c1f5fb769ecb485513d5232bfa4b0f
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
76KB
MD5c5fdcb5c634c6ef0f5ec880e86bad900
SHA154875965603249eb63b1395203e68e2965e50c50
SHA2563890f2edd850edb2a9abfe8929d367650c23c76fee1e2e0b70deea633dc42518
SHA512030f2af8d55866434dd2eb74448bf172bc08ea013fde21cd39a9e0bf339447304f4b7afb57c1f50eae3275e11f8db84842c823fb64324e0fd3c0e39538258996
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92
-
Filesize
525KB
MD5ead3729a6dc591b7caa739c278a1514e
SHA13700790636ec2ea9c425bce13b5885b3832f12dc
SHA256870f3a9b8b34f3e4d336e158b546058a08730ff1d2261bd6d18a241d1b3cd7fc
SHA5122023cfbe9dc247f0fbadb3443921cd24c3acd4a8fa9bb4b1c3fcb5d0a47cb371df689404860cf87b488ded6333f7ac4b01d1233007df310a06902ee2c5d9ea92