Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:25

General

  • Target

    02e9f7efaccb329cbee9944055f450ce.exe

  • Size

    384KB

  • MD5

    02e9f7efaccb329cbee9944055f450ce

  • SHA1

    3b2db2099ae94a59ba4c7b73fef61e3b7d2b714a

  • SHA256

    32e7c5ef311dfe167dc4d6ac7504414794fe586b09dc4e71bf8b8c0b9e73854e

  • SHA512

    6648d31b7dfdf01f11b90f8c56e1584d2b189d1de1d3d8e964f871d8fb9f87075497bace44d0113d0329dc3ee689376ffa9b0e514c819a24617130bd9328d431

  • SSDEEP

    6144:U8HdNRrsK+rjtphMYgKVIsabPghrNy0v2jzwoR2k5gVvut9E3QyU6:UkdNqKspYFzTgjy0v2jEowwgputWAyU6

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe
    "C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\ProgramData\eP21703EcBdB21703\eP21703EcBdB21703.exe
      "C:\ProgramData\eP21703EcBdB21703\eP21703EcBdB21703.exe" "C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\eP21703EcBdB21703\eP21703EcBdB21703.exe

    Filesize

    384KB

    MD5

    c4e8bb3c4f4b9090f328bf9c4e42529a

    SHA1

    a97e288833013b9d259ec3edd9fa538843c1c0ce

    SHA256

    c4023919ebb8880957881671b57128dc548036c776c0f14d6cb2883cba4a448f

    SHA512

    3962ed42d005011445bdd9a9791631a51c00d0511ff2fad692b94317cb4638fcac34104dd9c9be92ff5dd64e77ffe73647bf2b55812069ed0235388d6e634b13

  • memory/1696-0-0x0000000000230000-0x0000000000233000-memory.dmp

    Filesize

    12KB

  • memory/1696-7-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/1696-6-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1696-176-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/1696-214-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/2544-95-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2544-94-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/2544-181-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

  • memory/2544-219-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB