Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-en
  • resource tags

    arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/12/2023, 04:06

General

  • Target

    813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.exe

  • Size

    7.5MB

  • MD5

    53f95cac7f320fbd67a17985fbcf97e1

  • SHA1

    6451282820e1b11b3f1a79247d2d2e484519a11a

  • SHA256

    813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed

  • SHA512

    58d69309dc494450d939085c46b71296218f9ea353e649d7201608173e6ee2159cf82853bc7c3a97caae3e2a1be552316cc0b7dd74c3bbf71e8e273ebc2557d0

  • SSDEEP

    196608:hq/iLRC0OLkYNew6tjCtD2RQVsBp4UAzj:hHC9Lkuew6t2oCO9Azj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 63 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.exe
    "C:\Users\Admin\AppData\Local\Temp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Users\Admin\AppData\Local\Temp\is-7KNFC.tmp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7KNFC.tmp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.tmp" /SL5="$18007C,7577497,68096,C:\Users\Admin\AppData\Local\Temp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:2820
        • C:\Program Files (x86)\PlayGIF\gifplayer.exe
          "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
          3⤵
          • Executes dropped EXE
          PID:1072
        • C:\Program Files (x86)\PlayGIF\gifplayer.exe
          "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
          3⤵
          • Executes dropped EXE
          PID:312
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" helpmsg 11
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 helpmsg 11
            4⤵
              PID:4792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\PlayGIF\gifplayer.exe

        Filesize

        820KB

        MD5

        57d1bf4de4f35b3ca5e5657f1e223484

        SHA1

        f0e3900b334dd016df4aed99a7046f1a0084f5e7

        SHA256

        8971da81633a2d15afc0493db59c389c48d6a3f49b148d25d14b8c6bde097335

        SHA512

        a4d2ddf628f5582eb9c3fc0c42b31507f9b920f4d3d184fcb112e97e5952418ff9739e2a5d14247ee28314c194c84369099f0a7875998e012239ebd9adbe6d4a

      • C:\Program Files (x86)\PlayGIF\gifplayer.exe

        Filesize

        819KB

        MD5

        48533df6fc6a3dc9064a69016c889782

        SHA1

        e845aa98bcf95c46dfb3df7f33369d0044ca8a67

        SHA256

        dcfcb13b7aa54a45e74588cf9c90940da826e515758c3c3a3211678c3687f64b

        SHA512

        bcc17b0be85d9d1141c5908467279578a4e4a385582179181454261fde180516818748b487cde3d543af45af299f789ab38b07c800064f6ea7442495bfa775d0

      • C:\Program Files (x86)\PlayGIF\gifplayer.exe

        Filesize

        797KB

        MD5

        b56f4cc1715fbc763a765e40c8cb27c6

        SHA1

        8768edee03a92882de86228ca999b2d386736fb5

        SHA256

        ee8c84c5a1eb9dcc2109378436ee6e938d08345e89bdd6539d896d7900db7f4e

        SHA512

        9e8c4fc2ca8729243848a3f9807accb796ddc72c697b3bb7a6fbb085064db4e9b1660246cd8b9f493fb3074f346fce01d43f5d4efe7b82d1647722a352708292

      • C:\Users\Admin\AppData\Local\Temp\is-7KNFC.tmp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.tmp

        Filesize

        191KB

        MD5

        8b819dd8f6519cbcaa35a8892c10f744

        SHA1

        f5232734c43252b64d47c1a864c7556a01f086b0

        SHA256

        553d92228cd8766f944b9efedec4fabd1959ec4516e2b285e56385bab8913c26

        SHA512

        04972589930f1097879307382fba6323a6d982570b802db57b47903f47481aaa6e4bcfc6774ff89b8c9d71b51c7832a19b23b00023a58499ac5764c75bd70405

      • C:\Users\Admin\AppData\Local\Temp\is-7KNFC.tmp\813e4a016bef8de2539d0d5ce4c6c427dea05f2aa4d3772cd71dfbc71c9a59ed.tmp

        Filesize

        272KB

        MD5

        8c9fb94bbc250d7b75e892b13c9d8997

        SHA1

        18f60abce9a8361c84d74d60fe38ea2cf1b472bd

        SHA256

        e071dd3f492e2e813d5b449420a4ac943091b0c3a49481af848c3f3aae65d85d

        SHA512

        486040846d3a03da6402948b082bb34060873a67a309ae43fc8cbd716071fa3f8b4be51852d1e59c7fb46c2622d8eed697b36a363c9654e0a8fb8b17654eedb5

      • \Users\Admin\AppData\Local\Temp\is-LV3IV.tmp\_isetup\_iscrypt.dll

        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      • \Users\Admin\AppData\Local\Temp\is-LV3IV.tmp\_isetup\_isdecmp.dll

        Filesize

        19KB

        MD5

        3adaa386b671c2df3bae5b39dc093008

        SHA1

        067cf95fbdb922d81db58432c46930f86d23dded

        SHA256

        71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

        SHA512

        bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

      • memory/312-193-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-161-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-202-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-190-0x00000000007B0000-0x000000000084E000-memory.dmp

        Filesize

        632KB

      • memory/312-196-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-208-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-156-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-158-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-205-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-181-0x00000000007B0000-0x000000000084E000-memory.dmp

        Filesize

        632KB

      • memory/312-199-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-189-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-186-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-166-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-167-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-170-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-173-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-176-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/312-179-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/1072-152-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/1072-165-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/1072-154-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/1072-151-0x0000000000400000-0x0000000000666000-memory.dmp

        Filesize

        2.4MB

      • memory/4704-162-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/4704-160-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

      • memory/4704-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/4720-159-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/4720-0-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/4720-2-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB