Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

stager.chm

windows7-x64

10

stager.chm

windows10-2004-x64

1

Analysis

  • max time kernel
    127s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stager.chm

  • Size

    215KB

  • MD5

    f7175168cef18a6a30722d40424e3e60

  • SHA1

    1895b257c271f8b582a321e18790c5487e5f1b9f

  • SHA256

    238b585f1b49eca8b4342a626e4480d8754bbbd75fcf8ac7307ff3cf642812e5

  • SHA512

    32cb9b717c387eb97229d37d0ee14896980d31fef77c517494c8e468909a4cc207d35343f2cd76eee8af4c989b3c1c9b948606299310adc7cf8cd86d8e01c2f9

  • SSDEEP

    3072:rTDyc8klHgSnHNVTj0h0qlmD1QKoJc3kKcAVm/6iG1yjfJuOjF8Tse69RsWni1Pv:rTDXhHc1YJtoTKUPG1yjf6ZysWiJ

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\stager.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1320
  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe
    "C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe" d2ire2ct2dir2ec2td2ir2ect
    1⤵
    • UAC bypass
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • System policy modification
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\Foolish.png
    Filesize

    573KB

    MD5

    f717c0c79474763e15688af2ddc61278

    SHA1

    0156d35142b05f870ef41577a6d59e42573f09e0

    SHA256

    f7cedac2f5478eae1ea16b19672f602a74f271106f115ca28b7a768bc94cfefa

    SHA512

    b753cf065bfd9dcacf1fbf16a37b78cb36c17a62b5e3f6e35472196cb2356947c0fcb6ba3d8dae12bf9e99e7f167b9fd66b1579f54ae8e6139f7ff3cb2e08adb

    Download Submit

  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\libcef.dll
    Filesize

    8.9MB

    MD5

    9cf910fca5c1e977b3816cf86f1c699f

    SHA1

    6161f239764f904491cdcafa88c56fa22ce48ac7

    SHA256

    d30527fe2046455512c374449b422de6162d5e27b1952985ff50404142e1a5d2

    SHA512

    3c6fdcbde182ff9b15bd692529f5206a1d8da2ee93b3fb33d1b4c037cab156f33eb4c7100b4dfd1d0c359b87fea4d7b1befd4d89a17dab05dbaf750c2a3fdf31

    Download Submit

  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe
    Filesize

    978KB

    MD5

    8e945aaf7128bb3db83e51f3c2356637

    SHA1

    bcc64335efc63cb46e14cc330e105520391e2b00

    SHA256

    4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

    SHA512

    150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

    Download Submit

  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe
    Filesize

    978KB

    MD5

    8e945aaf7128bb3db83e51f3c2356637

    SHA1

    bcc64335efc63cb46e14cc330e105520391e2b00

    SHA256

    4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

    SHA512

    150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

    Download Submit

  • C:\Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe
    Filesize

    978KB

    MD5

    8e945aaf7128bb3db83e51f3c2356637

    SHA1

    bcc64335efc63cb46e14cc330e105520391e2b00

    SHA256

    4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

    SHA512

    150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

    Download Submit

  • \Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\libcef.dll
    Filesize

    9.9MB

    MD5

    47de7a7979344e34beb77c829c2a1ca6

    SHA1

    53a002efbf671908bae9f09a9bfd55bcf5825806

    SHA256

    6ce46851f01776a39081db8d6cd10421b5e920b723a235590d94162e0fa18a47

    SHA512

    80826cbbe7fcc7f119ddba9ab1bfe1025bed1dff147512d7564d9ee06dcd231067f6c4d7ec722120ac839c744866888e8ff52594dcc4e228da740cf9b77c1118

    Download Submit

  • \Users\Admin\Searchesfox\jtkkBrCqKURWuziqkaH2YjenVMTCnli7YbxK0WOzlQvE9Dg9lZ\svchost.exe
    Filesize

    978KB

    MD5

    8e945aaf7128bb3db83e51f3c2356637

    SHA1

    bcc64335efc63cb46e14cc330e105520391e2b00

    SHA256

    4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

    SHA512

    150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

    Download Submit

  • memory/1320-13-0x0000000004FF0000-0x000000000500A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1320-7-0x0000000004DE0000-0x0000000004E12000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1320-8-0x000000001DDB0000-0x000000001DE30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1320-6-0x000000001DB20000-0x000000001DC16000-memory.dmp

    Filesize

    984KB

    Download

  • memory/1320-5-0x000007FEF3AF0000-0x000007FEF44DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1320-92-0x0000000004FF0000-0x000000000500A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1320-91-0x000007FEF3AF0000-0x000007FEF44DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2772-61-0x0000000010000000-0x0000000010096000-memory.dmp

    Filesize

    600KB

    Download