Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 07:35

General

  • Target

    0f3ace680f8970915f343bdc44bd8af0.exe

  • Size

    242KB

  • MD5

    0f3ace680f8970915f343bdc44bd8af0

  • SHA1

    f86e80140e9e0c99c4c5f616c434f86ef4fc78a9

  • SHA256

    e9521682d9b447132a5e84aa75b84742438a3f65d592b3b5bd5cfea9b834370d

  • SHA512

    235d0eda2d22a8336b4d627d5901f7fe2962989986a3c7386fe40a473214c76424e83e9d9880d6e10c8bb534cc11dce5643a40e9a984b22ac6abf6280565dabc

  • SSDEEP

    6144:7yXm01Y/Ak/HplW+mTodH3UicxA5YylWVkRV:uXm0C/x/JlW+Ic48sV4V

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe" /TN Google_Trk_Updater /F
    1⤵
    • Creates scheduled task(s)
    PID:2572
  • C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
    C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1728
  • C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe
    "C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0f3ace680f8970915f343bdc44bd8af0.exe

    Filesize

    20KB

    MD5

    89c34e7f1d75e8d8e350da64a06feea5

    SHA1

    8676b6244fe43f12e813edb8694ae3e5140387b3

    SHA256

    01d9adba9cdd33ac0295bc7b13d178a6538d125cfcc16145d309c0994f598ba0

    SHA512

    2e198479d7719127be70f89d14cb553b54450825e0194bc4f109172f6d28b8d8d178072c39f35ea3393e00ab6320073bf819b57a9c9bc04066da0daa7ec0e587

  • memory/1728-21-0x00000000002A0000-0x0000000000357000-memory.dmp

    Filesize

    732KB

  • memory/1728-19-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/1728-29-0x0000000000360000-0x00000000003C7000-memory.dmp

    Filesize

    412KB

  • memory/1728-24-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/1728-16-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2488-1-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2488-3-0x0000000000330000-0x00000000003E7000-memory.dmp

    Filesize

    732KB

  • memory/2488-17-0x0000000002D60000-0x0000000002E17000-memory.dmp

    Filesize

    732KB

  • memory/2488-14-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/2488-0-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB