Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 13:38

General

  • Target

    a84fdb6d6d897c5eaf25da495b6579a8.exe

  • Size

    7.8MB

  • MD5

    a84fdb6d6d897c5eaf25da495b6579a8

  • SHA1

    8ac290a374b358d22607b967ce43585d84d555c9

  • SHA256

    0c3800ca5bdcddd95f7fc29756ef7c8f0016946199a6c2c891673fc267e3b011

  • SHA512

    fd524b75cc222c7974a653c4627ba1af103d80ec153827ca3120442b8530e074b1a46cc44179477a860c40d7b34712d809accf667290552bf777a247ea8a5fda

  • SSDEEP

    196608:NrWazp8eh7FkNqKo0rkOh7FkNqK0tAh7FkNqKo0rkOh7FkNqKcXLj3ceh7FkNqKe:k8px7upo0rd7upyy7upo0rd7upcEY7u4

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe
    "C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe
      C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe" /TN 6ek6uOO9da42 /F
        3⤵
        • Creates scheduled task(s)
        PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\HZwpA.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2744
  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Query /XML /TN 6ek6uOO9da42
    1⤵
      PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HZwpA.xml

      Filesize

      1KB

      MD5

      61414f424fc917fa8f5f498de4d4ada6

      SHA1

      f39a2a504076c6af416b88f341a942635fd0489f

      SHA256

      706a1ec028631104da9a98ce2adc629a80fcb2965ed8269ddf6648fd50d5643d

      SHA512

      c7332194e9a084bf58d493546878ec1656460684499c4b0f28dfa2949561753715851c6ef3ab6cd4a5dc4e823765b5e016b3dea2a1cd32fec76dc6b279c9e4a4

    • C:\Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe

      Filesize

      7.8MB

      MD5

      fae0e295ab2dc296eaf4463671d97663

      SHA1

      256751c85503e005b522fb34f38cc7104d2f9962

      SHA256

      87931ae48796834c46a3d6f48894dddb8a4efea1d04c63e6623089a1dece1337

      SHA512

      cab3cc75efb47c179cd6bb25cd921d50f32d934bf8fd5b89c612f676f4b5a0f61b4b882143b62df7dd1b3368827ed79d70981b93a17a945377cb888806e84032

    • \Users\Admin\AppData\Local\Temp\a84fdb6d6d897c5eaf25da495b6579a8.exe

      Filesize

      64KB

      MD5

      3d367c691f0d82afddfcaa59bcd724e7

      SHA1

      4204535a3109a7f993d23625400162159f93697e

      SHA256

      519dced751ae740c9983695fc71b07a00483d8db1c98f365a314b236a7a5d35e

      SHA512

      2e2ecb22bede7015054efdfb4abd8f8b9f66e8d5fab8708cdaa94b6b707045058bb78ba7813a512a63cbb9fc660380eefab25297ce69b91891fb5d1c514a03cd

    • memory/1328-17-0x0000000023F90000-0x00000000241EC000-memory.dmp

      Filesize

      2.4MB

    • memory/1328-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/1328-16-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1328-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1328-3-0x0000000000250000-0x00000000002CE000-memory.dmp

      Filesize

      504KB

    • memory/2160-20-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2160-21-0x0000000000290000-0x000000000030E000-memory.dmp

      Filesize

      504KB

    • memory/2160-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2160-31-0x0000000000310000-0x000000000037B000-memory.dmp

      Filesize

      428KB

    • memory/2160-45-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB