Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 18:32
Behavioral task
behavioral1
Sample
0c15c2b40fd0a496a1ca36d3fbb203c1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0c15c2b40fd0a496a1ca36d3fbb203c1.exe
Resource
win10v2004-20231215-en
General
-
Target
0c15c2b40fd0a496a1ca36d3fbb203c1.exe
-
Size
885KB
-
MD5
0c15c2b40fd0a496a1ca36d3fbb203c1
-
SHA1
01312c3806c9a9d6aa8be11f196544f4d7afaee3
-
SHA256
6c78f42692176f97269807e4a685a2c9d5d0a811cfa5ccb65b63e2a6da80d182
-
SHA512
0764bbb2689e99e28b9983553bd9a8eb6eda97428c161c9fcc7dff49ee130d4eff56769a7c24144ec0fffeedf2f18139f88eb70651fd97f44eb15421401080ad
-
SSDEEP
12288:rbpHYUKy5U1bo9t8DMRSW9vbciUiLuAvOxMt11i27QitjBHANNVAUNE:r5sJo6YrFUiyAak11LtjJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2104 svchest000.exe -
resource yara_rule behavioral1/memory/1812-1-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral1/memory/2104-9-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral1/memory/2104-12-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral1/files/0x000c00000001444d-7.dat upx behavioral1/memory/1812-0-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral1/memory/1812-13-0x0000000000400000-0x0000000000597000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0c15c2b40fd0a496a1ca36d3fbb203c1.exe" 0c15c2b40fd0a496a1ca36d3fbb203c1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1812 0c15c2b40fd0a496a1ca36d3fbb203c1.exe 2104 svchest000.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\Windows\BJ.exe 0c15c2b40fd0a496a1ca36d3fbb203c1.exe File opened for modification \??\c:\Windows\BJ.exe 0c15c2b40fd0a496a1ca36d3fbb203c1.exe File created \??\c:\Windows\svchest000.exe 0c15c2b40fd0a496a1ca36d3fbb203c1.exe File opened for modification \??\c:\Windows\svchest000.exe 0c15c2b40fd0a496a1ca36d3fbb203c1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2104 1812 0c15c2b40fd0a496a1ca36d3fbb203c1.exe 17 PID 1812 wrote to memory of 2104 1812 0c15c2b40fd0a496a1ca36d3fbb203c1.exe 17 PID 1812 wrote to memory of 2104 1812 0c15c2b40fd0a496a1ca36d3fbb203c1.exe 17 PID 1812 wrote to memory of 2104 1812 0c15c2b40fd0a496a1ca36d3fbb203c1.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c15c2b40fd0a496a1ca36d3fbb203c1.exe"C:\Users\Admin\AppData\Local\Temp\0c15c2b40fd0a496a1ca36d3fbb203c1.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\Windows\svchest000.exec:\Windows\svchest000.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5c90a0c3877ae2853780f45a3ff3b8f69
SHA1ac7dafee7d82761c03257b006e3188b6ad80a4dc
SHA2566ae5e09b35e9bacd9c680fd3f1ad5f27d5d819c6ae9f6e16c320cedfc865277e
SHA5123c4b3897870c1743f40c47e8a895d7119d9dd69b1288adf8e1ec2b04aa20db9be0a3d3bfce73c93091f4d7ee8d5743b714a59b4e64a2106a0067a464c52ba842