Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 08:06

General

  • Target

    5e6cc5735d0ade6949c115d0b57853af.exe

  • Size

    2.0MB

  • MD5

    5e6cc5735d0ade6949c115d0b57853af

  • SHA1

    304275ae624aa1a12eac83cda415b4acf9f30533

  • SHA256

    ede16809d33515e9189397610f0e580c1016a7cca138823f94e20667f7badf11

  • SHA512

    af0e18354c211b490797c57de85464ea7b6f2aa412c72c40b6b38f471e1a0e79c4416dd1262df2320f266e7bdd781c0a47777eb46f51c15be11a5b0be13ddc44

  • SSDEEP

    49152:OFUcx88PWPOpX0SFrL5cS/W253ExzI9nzFXNpA1yGc:O+K88uPCHF5cSu7Rop0yGc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe
    "C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\3CD2.tmp
      "C:\Users\Admin\AppData\Local\Temp\3CD2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe 07792D10D594188045DEC28DA9E63A78F46511B47AF364F757C7047F2725F38BA686A4644F6B0C1AD8FE51E55E29B91D9E4C7BD622D6FF5F290379185129FA1F
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.docx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3CD2.tmp

    Filesize

    527KB

    MD5

    3036ebb201da302e9fd1f97216e84b6f

    SHA1

    a3b1007574794e0bcfc4d2d1cad95e4925dec685

    SHA256

    bebf5783af6ded4b933685bcdba5715eeaec22a2fff65aae1c12a623268e4d1c

    SHA512

    81d773874b20c58ff17a42f64a4711aa4171889283527f4378634f19153bc6023de00738241d24cc04594918e56fd1377c63d09d591ee0bbfad1e9e035b4ce94

  • C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.docx

    Filesize

    19KB

    MD5

    4046ff080673cffac6529512b8d3bdbb

    SHA1

    d3cbc39065b7a55e995fa25397da2140bdac80c1

    SHA256

    f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

    SHA512

    453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

  • \Users\Admin\AppData\Local\Temp\3CD2.tmp

    Filesize

    1.2MB

    MD5

    acfaca9d94b44a187e33255767ee3006

    SHA1

    95204663a94eb6db0fe2c2bf074f5e67f12df154

    SHA256

    8d46e44fe63521a9f85d1384c4c70cb3be7bb0053dc048c106396dea5bfd1e9a

    SHA512

    f1839c19b33781932ff25e462b685127e5917f850a7cf0054fc1687110bb52dbba3568053e549d2db0fcbfd55e34ad1229afabe0605f151b6ef983e23b6caf02

  • memory/1968-6-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/2540-0-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/2804-9-0x000000002F441000-0x000000002F442000-memory.dmp

    Filesize

    4KB

  • memory/2804-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2804-11-0x00000000717ED000-0x00000000717F8000-memory.dmp

    Filesize

    44KB

  • memory/2804-15-0x00000000717ED000-0x00000000717F8000-memory.dmp

    Filesize

    44KB