Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:02

General

  • Target

    01a16e5a927bcfa66d0e014fee748a5c.exe

  • Size

    506KB

  • MD5

    01a16e5a927bcfa66d0e014fee748a5c

  • SHA1

    455a8f22f3040757465bb5246ba9253369eeb99e

  • SHA256

    d5121b281c7965d9ba78574cdfda0bd52fb3515220085ebb0deab338e65bf3a3

  • SHA512

    e181f918818de8fc10283575439699ae288ede252fd0544a5fa73b220f95ce32e5088c350ce104bf0e83e1293f25eb20a10e8edebb4f2bd4e49aca1d3754be74

  • SSDEEP

    12288:ViW/r/oynJzjnt4ssYMtQVzjcHRoBfNEHfAT:VicrQYzt4s+tW3cHRo7EoT

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe" /TN Google_Trk_Updater /F
    1⤵
    • Creates scheduled task(s)
    PID:2820
  • C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe
    C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3048
  • C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe
    "C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1616-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

  • memory/1616-7-0x00000000001A0000-0x0000000000223000-memory.dmp

    Filesize

    524KB

  • memory/1616-17-0x0000000000370000-0x00000000003F3000-memory.dmp

    Filesize

    524KB

  • memory/1616-14-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

  • memory/1616-1-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

  • memory/3048-20-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

  • memory/3048-29-0x00000000014F0000-0x000000000156E000-memory.dmp

    Filesize

    504KB

  • memory/3048-24-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3048-22-0x0000000000220000-0x00000000002A3000-memory.dmp

    Filesize

    524KB

  • memory/3048-65-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB