Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 16:32

General

  • Target

    05e4debc81b24e42696b6246a0f5ab21.exe

  • Size

    10KB

  • MD5

    05e4debc81b24e42696b6246a0f5ab21

  • SHA1

    5273ca90291090b1ef20e0b615299427545e076c

  • SHA256

    c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a

  • SHA512

    20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac

  • SSDEEP

    192:f1rTjAbiNTYQGrv3g7OGmQp1rbX1VCf31AdLQ:fJ1DGDQ7OGHPnCd

Score
8/10

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe
    "C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\jolenmk.exe
      C:\Windows\system32\jolenmk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat
      2⤵
      • Deletes itself
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat

    Filesize

    182B

    MD5

    3f224fabf8c1f7fe5200cb59317bdfa2

    SHA1

    9b1154c0662f9a9eed3ab68acc8d6d47337fd371

    SHA256

    6b07e1eaebb90aa111fb7987395cad5bcb338828baa1ea09f9eebc1bb23a7de2

    SHA512

    5d1416c63a871f1d640673ea8a4b98993ae818a7f1e613f3723168f5cdb176fbf6923d8da8e5ad43641a3fbab909109f2724813ed46f3a1076656efa370c757c

  • \Windows\SysWOW64\jolenmk.exe

    Filesize

    10KB

    MD5

    05e4debc81b24e42696b6246a0f5ab21

    SHA1

    5273ca90291090b1ef20e0b615299427545e076c

    SHA256

    c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a

    SHA512

    20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac

  • memory/1672-11-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1960-1-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1960-4-0x00000000002B0000-0x00000000002BF000-memory.dmp

    Filesize

    60KB

  • memory/1960-12-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1960-16-0x00000000002B0000-0x00000000002BF000-memory.dmp

    Filesize

    60KB