Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

54d1ea41db...e9.exe

windows7-x64

10

54d1ea41db...e9.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54d1ea41db69c34d3704c96515d5b1e9.exe

  • Size

    300KB

  • MD5

    54d1ea41db69c34d3704c96515d5b1e9

  • SHA1

    25dada3cbd9b0a683a65df884cd76dc41897d219

  • SHA256

    71f26ec4de6a595881a1a235e29ffea8a4b0794000ffb780c2fe37e98ca34c76

  • SHA512

    864a24cb79bbc270cdd49c5fbb81c54f6243be2734b1834842e7219ce47c889e2f4c2b6d0f87326d775029dc87d2c9efbd2fe3f0383a62520cb27a04c988581a

  • SSDEEP

    6144:RRLLNYTpkl9B1erzj1GY8/xA/iWHhblby8/1CaZSA/7bT0n/yX9:RstkJ1Qzj1GY8u/Nxlbyg1N/fTKyX9

Score
10/10
evasion

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe
    "C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe
      C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:1628
      • C:\Windows\SysWOW64\win.exe
        C:\Windows\system32\win.exe 480 "C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    895301bce84d6fe707b5cfd50f1f9f97

    SHA1

    50a012f59655621768f624c4571654145663c042

    SHA256

    b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

    SHA512

    a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

    Download Submit

  • \??\c:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • memory/2860-0-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-2-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-4-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-6-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-137-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-18-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-10-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2860-8-0x0000000000400000-0x0000000000526000-memory.dmp

    Filesize

    1.1MB

    Download