Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 00:46

General

  • Target

    475e179c47be2b99f5a7e648fa93c37f.exe

  • Size

    64KB

  • MD5

    475e179c47be2b99f5a7e648fa93c37f

  • SHA1

    b3c174b36797a997fbde7c510aab2e75ba08c180

  • SHA256

    70cfd9c937d95a62f8cd555873a02eb4c86005382c05b554b3719c2939bacad5

  • SHA512

    89ddb8f6d85118a0c2db7826f59594dd72b4c2ce98290994dd42e73e69accbd7fceb1997a07864e95c11fb3c337edc8edbe2dcaa12de8842c9ed705800e636a0

  • SSDEEP

    768:gIsnfK9Oqn5HZJiXyS2+MscZsGCeIwrvtQ1j9l8/nxNY66xnH:MfK/55JvxD6Gen1jYxG66xH

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del c:\Windows\GetTran.exe
    1⤵
      PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\475E17~1.EXE > nul
      1⤵
      • Deletes itself
      PID:2836
    • \??\c:\Windows\GetTran.exe
      c:\Windows\GetTran.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe
      "C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1520

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\GetTran.exe

      Filesize

      44KB

      MD5

      5381167509544853bd2c6302d532b292

      SHA1

      5e4335e60f04f37e0a74bee0447822d95e6bbf57

      SHA256

      06fb19cf6bf528e15f4b59fc9be36215037a12205ce8fa128873d5555f6fb017

      SHA512

      132576e3231e589902736cf31d0699af9b2900031822c649431779e32bb2da78eba508db5936a77439df7216eb4c981d19d8ad327c2105c90283b6550839d4c5

    • \Windows\SysWOW64\zydxc0209.dll

      Filesize

      64KB

      MD5

      08206fad28489399c65aa23e5af5f57b

      SHA1

      6c40a56090700622b71fc6696c093e007aeb581f

      SHA256

      63fe619153f8739fedd240aad11d5612a84164c2b8d589a2b664844a8760cc16

      SHA512

      e196e0c0bbf6c02e8d527069efe3eb39b1b2e02c3a9014a760de93d1897fec9f4a590b89f16db791d3e9412e8da0ecf52a3fefa296d0545d45f5afff2a7ce34a

    • memory/1748-14-0x0000000010000000-0x0000000010012000-memory.dmp

      Filesize

      72KB

    • memory/1748-18-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB