Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2023, 10:50

General

  • Target

    0d320338547912a20ae2209247d99265.exe

  • Size

    16KB

  • MD5

    0d320338547912a20ae2209247d99265

  • SHA1

    91ddb05090a4841e1739cfc06847e444cb20a4f4

  • SHA256

    699bcfcbced15c4bea4320ada939072b82c93a8263ee18caf2f66dacff8223ec

  • SHA512

    e5ca38a4a671e3fc7638f73718f0a9d75ac51c04c90c40c264808c316c8aa20e90a229fd9be83013469140f829ed51d50bdb0967a06226ca66c689f404e7f7a5

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY+SmZU:hDXWipuE+K3/SSHgxm+LW

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe
    "C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\AppData\Local\Temp\DEME560.exe
          "C:\Users\Admin\AppData\Local\Temp\DEME560.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Users\Admin\AppData\Local\Temp\DEM90BB.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM90BB.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1184
              • C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1312
                • C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe
                  "C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:2436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe

    Filesize

    16KB

    MD5

    c1937d13a7a6a5a9bb8522dda30f5da7

    SHA1

    1089912d9271cf01ce538cd8a1b779116359f9a0

    SHA256

    f580da54a908c5eb93542e4709632120cb0f8040d11134fecedd0bb789188a4a

    SHA512

    f5dd098e80e1fa100d28612f0df7495f5025098728f6500856818d3c84ea6326e84292d8a1d2cfd09c192ab90799993b467d773a9766b423b2f35f0deab8b299

  • C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe

    Filesize

    16KB

    MD5

    3ee7c530fbdd58c00e38f97991460919

    SHA1

    b9f4e19b38a0fdbefb9a8bc46a6c0770d5562d79

    SHA256

    ad31d690deec83723145d3a7358f02e43590eaa6dbbeedc168a01b2374dee6fa

    SHA512

    39fde3b3f9a12d5a49fb08b991a80467af4353de777d0db98d2304825cfea98cc6a10115d4088c756ee2abcd75fa1d2f77241b29e5d5dfcb27a7e1190b94836a

  • C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe

    Filesize

    16KB

    MD5

    823e49be39310460f0d1972fa0e593ed

    SHA1

    e612432fb630bc7d3204796b9f44be146c7b59a0

    SHA256

    79402f4456c31a940b314bacfac880f803d1a387aa6ee2cdce04e2185c6a0fad

    SHA512

    e69a09bf5e24b14af0ccbb9eaeac7b007750468ab1b3cee92bdc69f11f5a5ef63c2fbe47e0a753af97e4d6a378c94ff536ac215e9e0a13bada926290bf5f495b

  • C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe

    Filesize

    16KB

    MD5

    29f2698b18b9bb58b65f6cca8e82c055

    SHA1

    d025fcc035850c2eab71ce1131c96ac9f3ef6d38

    SHA256

    9291beb32724ca18a7b67cb5ac2b5617f22463f857f5d9824fd26c6ffcd8b0c2

    SHA512

    1b2002423d3594a908fa53e3b5e03b3d959a76fb78330a98c7f07961e440135ad8d653268325f6cae641d16747ea90f9a4bbb0c62efb1bc825eefc64b65f67b1

  • C:\Users\Admin\AppData\Local\Temp\DEME560.exe

    Filesize

    16KB

    MD5

    b468018084ae6713b6a8eef12dc813ca

    SHA1

    4477a7498dcda98eaedf1caa0514d24657140655

    SHA256

    27a18e01b3db0c277edbd8973b094ecf35658543d00ca09ad44a8c4a67821059

    SHA512

    75163d0fd414abaf5e208681aa8f307924a50408b02bfd8bd260e7f91c6be40808efb4c666d3f7948ef024dca55dde92e22cba68530580dda8da3bd993a48962

  • \Users\Admin\AppData\Local\Temp\DEM90BB.exe

    Filesize

    16KB

    MD5

    82991d86a7045f76d1afe5b6c3f9409a

    SHA1

    a6d6543465c569bd2d35bf8ed1323d0a99473e9d

    SHA256

    e98adf1eb4a5ce98cb23ecccc369be6b3702b34f3a5e35e9cabd11681280b758

    SHA512

    be382ea4421b8d6f47342980427fe38013c2291340ec24b26976255acb8863b147a0e5562998963dc1431108be81ad52257aeafc73213e5ae3674cf870145470

  • \Users\Admin\AppData\Local\Temp\DEME6A7.exe

    Filesize

    16KB

    MD5

    edc833903c399647a7f651d8176ae04a

    SHA1

    591d52b52de8bce9b15ddde9267b28aaa103c6a2

    SHA256

    edd6bc1f22d2d0040ef796a4ad1eaecf21c87453a1cfd448e6fd596dbc6a6969

    SHA512

    f3735fc23ddb73384f61faefc89089a953c3051683ca6ec2cab553db33e1ca0a9c9d285145a0860194310ac4e5be65abb187444cac2977564ae3b0785a659fa1