Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 13:27

General

  • Target

    a382d5629bc8d44759bc73c3166e3d46.exe

  • Size

    4.4MB

  • MD5

    a382d5629bc8d44759bc73c3166e3d46

  • SHA1

    2ae6dd3d8b45d340dc9065b16be1370a99bec615

  • SHA256

    fe4ef7eb884fed14e5ca386bd3f6dd470309681a8c718ea3a3447139a41380f6

  • SHA512

    0d2a83b3fb3fee3bfb4ae5aa2c0bda5ccff7adbc37f8bf716ece6398d235a5141f750cca877a30e68611fb8f69b6b79ba876f7584bd31f63b8371176a68ed747

  • SSDEEP

    98304:HdJcUQLUGrupm8EC2+dHI02EQdeYgS5toD80r:/PGZKm8EOh2NUhDF

Score
7/10

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe
    "C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1847330 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe
        "C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe" -in
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

    Filesize

    4.3MB

    MD5

    6341f4bdd2ffa5d43b37ea746a2f0831

    SHA1

    7c97207c7e3022b5a899965987d43e3b2bb7cb7c

    SHA256

    a5cafa6449b0cc9b012c4becb5a9f28c5ea830f883339b06f9e5ae57999f1665

    SHA512

    dc1e69a9480c2ee1f9063330f433cadde49c470cc985228e85444faf9ef4eceb58db0b6f54534b990c5925fdbe634d56af0fb9d0c4d942e96ed5bbfbf9fc1cae

  • C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.ini

    Filesize

    45B

    MD5

    ea0e191382c342f37fed75b3d6241d24

    SHA1

    3f28dfc009194d624e282ff178e415ef1f81b13a

    SHA256

    a7579c49522e82e47065fb94081608b115fb745faf34a099b6e77bcbdcd13b8d

    SHA512

    71f1b4cbbf9530bc647c7046f4f0f5b263cf75be99959e74ff58774ffe38eb5ba91820f8546aee72012ec76ad559f366a8db3cd22cb3acaa2ddd780e216eef87

  • C:\Users\Admin\AppData\Roaming\LookPicture\Uninst.exe

    Filesize

    114KB

    MD5

    4493eeb8fcfe69942b4686f4f368b43c

    SHA1

    9c086b0721b9cf099e627e91b689af202913247e

    SHA256

    ac112aa639504a0a3ade925fc23de0c1d32c3200eec16845f6db03e06c14daf5

    SHA512

    2e801da9ef7435790b2a7622d616a04e5f4ab4cdffdba4b59032c79cbeeb20e865fc665b03aa186b1e0e63448eac11bfe5d493c1cbd116e391864efba187860d

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    1.3MB

    MD5

    7eb6266334c70e3ffa235d2571614734

    SHA1

    de003214a0034ca3dbe9ed35f482f2aaa235c5d7

    SHA256

    0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

    SHA512

    f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

    Filesize

    326KB

    MD5

    e7a789232ef503dcb4929791673009a3

    SHA1

    8bc28bce4c9d8b4a6e360100441ba54a878de4c1

    SHA256

    89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

    SHA512

    6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

  • \Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

    Filesize

    3.2MB

    MD5

    15e5ed3886e54523a3781f69233d294b

    SHA1

    bcd1af015a7fb9a49c0c60f82d126141feefb316

    SHA256

    3de0b810fbc297eb5cbb1736342af4a3be29bbb3ddeb19ab65b596841c000ddd

    SHA512

    18204f236687f83f488cc380e9984565c6fccd226915a7c638e718157cdd0bd7274732c8f2ddfce98c03e3af404e10b0d59053ae643c90d9fb30c8337c66087b

  • \Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe

    Filesize

    1.8MB

    MD5

    4cdb3c220777364e88167dd3125b2cc8

    SHA1

    8f1219766b955c6e8fcb555dc718ebd0f688e6d8

    SHA256

    a7962322db50fc381f969cd1778539bd13dd20db3b26d8944a7d768e24a6471d

    SHA512

    d041118c7bc97ad2dc0ad21b28858d6f7f3d51713555ef7f5ebe0d783b9bfaa9abfb7e0b3930eeb7f88bb81ff88774061f1fd1a90ca1435e649074d09792c0e7

  • memory/2392-6-0x0000000003160000-0x0000000003548000-memory.dmp

    Filesize

    3.9MB

  • memory/2392-19-0x0000000003160000-0x0000000003548000-memory.dmp

    Filesize

    3.9MB

  • memory/2984-20-0x0000000000ED0000-0x00000000012B8000-memory.dmp

    Filesize

    3.9MB

  • memory/2984-76-0x0000000000B50000-0x0000000000B60000-memory.dmp

    Filesize

    64KB

  • memory/2984-79-0x0000000000ED0000-0x00000000012B8000-memory.dmp

    Filesize

    3.9MB

  • memory/2984-81-0x0000000000B50000-0x0000000000B60000-memory.dmp

    Filesize

    64KB