Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    194s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 14:42

General

  • Target

    2669bcf7c0017f24ae73072ce64db9b6.exe

  • Size

    298KB

  • MD5

    2669bcf7c0017f24ae73072ce64db9b6

  • SHA1

    0292296d1591ad7b2072eb78b207190f206a03b5

  • SHA256

    28f8b5f89ad7d768a542793ec6788e182a5be2d13c27819f0a778cdba7951f1b

  • SHA512

    9131325f849ba9e91ad2d702f33a6fd91b55847683453346fc6d76a322bcd0b1aaa2b8c47375d542309e889ce2196e2d7ae766e22a48e784dca9bf5fd37580c3

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYP:v6Wq4aaE6KwyF5L0Y2D1PqLa

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe
    "C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings.exe

    Filesize

    298KB

    MD5

    66c91a45c55291d076c7f97b7182c09f

    SHA1

    f9d9326c8e8c18ede4d7c4d4484313bf31af3d6c

    SHA256

    3f48586b0fbcf0a697415fa37f777831eee288edcceca9aa9f7023a5e5b844f7

    SHA512

    22cfb08bf33a5cddd4c80628e27ce4ccd30825582d4c69132f183c57b178b681708c37a17560a6d4bbb2428289e1f47c94fda850560741eea19544807575b8ba

  • C:\Windows\Driver.db

    Filesize

    82B

    MD5

    c2d2dc50dca8a2bfdc8e2d59dfa5796d

    SHA1

    7a6150fc53244e28d1bcea437c0c9d276c41ccad

    SHA256

    b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

    SHA512

    6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

  • C:\Windows\svhost.exe

    Filesize

    298KB

    MD5

    171e4a295b7160a99ca9ec1613d4a24d

    SHA1

    77c896ee903df2e1927eb08195750bd17c26cbc9

    SHA256

    4d149968b7ef94990fb36ca605a9238a4dfe534ac3199124074ac312b40c2389

    SHA512

    3a4b310a60f3db30a2baa015142fd9bec84df77af440e584d4e3890aa06ee230783a78ad52b66623bfec35e656725886b6004f60b896c1a1407f34d1d837b6f2

  • memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1236-6-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2872-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2872-1-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB