Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 09:34

General

  • Target

    6434eaf1e3f70480bc40f1216bc4641f.exe

  • Size

    38KB

  • MD5

    6434eaf1e3f70480bc40f1216bc4641f

  • SHA1

    bb7f3d02034b1267724983518cd831d2d4518c1a

  • SHA256

    85231a8f5e9c681d7d5e6cdcc19da450eab541ba0c981f3d15322e8abfbb93e7

  • SHA512

    ea6fdeeaac48418b3af99bde17ae77ac4b4e892a2665d997de4453b80df574bea3440d174b02c62c7c8e47c6bbfcdc39e2cd980b6134f1de81f204a690013496

  • SSDEEP

    768:T7WXtbVrCBN29+eiYc3OZ6CV2ZVO8GEDcinf:T7WXtb1Cv+YYc3c65ZVOpUnf

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe
    "C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"
    1⤵
    • Loads dropped DLL
    • Drops autorun.inf file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\.exe
      C:\Users\Admin\AppData\Local\Temp\.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" user Admin
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 user Admin
        3⤵
          PID:2436
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2044
      • C:\Windows\system32\csrss.exe
        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
        1⤵
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1720
      • C:\Windows\system32\winlogon.exe
        winlogon.exe
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\.exe

        Filesize

        38KB

        MD5

        b84f4d30d66b22bbfe3c86ee3bfcda7b

        SHA1

        dcc9edbe553b4c15e55df8a7ee7d4403e962d2ff

        SHA256

        b3e108bd65af42b1ac999c34420e015c8521cc263b39b829982b21eefb816e2f

        SHA512

        37016c1f9fe9e2409c9516ba86d843fb1980136e30091342094cbcb9f2acf3c8b8239ee5dd15b493f38d32f454b64920a852b852b964821f9e1e95c8dcbaaa69

      • memory/608-21-0x00000000026E0000-0x00000000026E1000-memory.dmp

        Filesize

        4KB

      • memory/608-22-0x00000000026E0000-0x00000000026E1000-memory.dmp

        Filesize

        4KB

      • memory/1052-12-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2044-19-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

      • memory/2236-0-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2236-9-0x0000000000320000-0x000000000033F000-memory.dmp

        Filesize

        124KB

      • memory/2236-11-0x0000000000320000-0x000000000033F000-memory.dmp

        Filesize

        124KB

      • memory/2236-20-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB