Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 07:10

General

  • Target

    5ba4428428af3443cf2850281cb42733.exe

  • Size

    310KB

  • MD5

    5ba4428428af3443cf2850281cb42733

  • SHA1

    2ccdd810a311f4dc5c5fef60d44396a6ff5088ee

  • SHA256

    2a60eb4e064ef7da65c69790df433c8774e8f18ef29d12f148d01e0002d59a3f

  • SHA512

    08d19e9550cf21ae33618bff62ad0fb23667f2394596d90572f2aadfc36489e607e39495da034a92a5118c55c4143e7a95533566dcebf0ece5057265ef9b2003

  • SSDEEP

    6144:BYDau9n2z+Luag/AGPt/QpAGaeBY4NVYv6mlp18aCUYyVrTtLE:qWukz+Lu35Pt/GAGNNxmlX8aCcVrT5E

Score
7/10

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
    "C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
      C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe /AutoIt3ExecuteLine "MsgBox('32', 'ROFL', 'DAS IST EIN LOOOOL :D Haha')"
      2⤵
        PID:2848
      • C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
        "C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 36
          3⤵
          • Program crash
          PID:2808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2676-3-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

    • memory/2676-14-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

    • memory/2676-12-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

    • memory/2676-10-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

    • memory/2676-7-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

    • memory/2676-17-0x0000000000400000-0x0000000000402400-memory.dmp

      Filesize

      9KB

    • memory/2848-6-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2848-16-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2848-18-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2900-4-0x00000000036F0000-0x00000000037AB000-memory.dmp

      Filesize

      748KB

    • memory/2900-8-0x0000000003A60000-0x0000000003B1B000-memory.dmp

      Filesize

      748KB

    • memory/2900-15-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2900-0-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB