Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
7124a58af5e94cb441bbd28cc798477a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7124a58af5e94cb441bbd28cc798477a.exe
Resource
win10v2004-20231215-en
General
-
Target
7124a58af5e94cb441bbd28cc798477a.exe
-
Size
44KB
-
MD5
7124a58af5e94cb441bbd28cc798477a
-
SHA1
10d2b874e556d12af77cdf89280da431161add66
-
SHA256
044a7ab33d02daa94d52789de3c10195f619c4f63df289e0301033c3847ba10c
-
SHA512
ad354c48642f21a04189d6431da1e7e8c9a9056b7de73ec3d8df49814ed9e031fa8c8bcf2c61d3139625dd9a865d381ef691f6583093f78251882f835d44480f
-
SSDEEP
384:yntoj50nHvklnCahaMaFUX6/IAh///18JfTuDGvq8JU3uohFhOYza4ICA4yfLPfE:ueimnCaTgSUTyJfpyj+EzBzR9A4yfUB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2404 ctfmon.exe -
Loads dropped DLL 1 IoCs
pid Process 1648 7124a58af5e94cb441bbd28cc798477a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ctfmon.exe 7124a58af5e94cb441bbd28cc798477a.exe File opened for modification C:\Windows\ctfmon.exe 7124a58af5e94cb441bbd28cc798477a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1648 7124a58af5e94cb441bbd28cc798477a.exe 1648 7124a58af5e94cb441bbd28cc798477a.exe 1648 7124a58af5e94cb441bbd28cc798477a.exe 1648 7124a58af5e94cb441bbd28cc798477a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1648 7124a58af5e94cb441bbd28cc798477a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2404 1648 7124a58af5e94cb441bbd28cc798477a.exe 28 PID 1648 wrote to memory of 2404 1648 7124a58af5e94cb441bbd28cc798477a.exe 28 PID 1648 wrote to memory of 2404 1648 7124a58af5e94cb441bbd28cc798477a.exe 28 PID 1648 wrote to memory of 2404 1648 7124a58af5e94cb441bbd28cc798477a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7124a58af5e94cb441bbd28cc798477a.exe"C:\Users\Admin\AppData\Local\Temp\7124a58af5e94cb441bbd28cc798477a.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\ctfmon.exe"C:\Windows\ctfmon.exe"2⤵
- Executes dropped EXE
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8
-
Filesize
23KB
MD5ad7396d7c2eb340d189ce0bcfe689837
SHA11ae6fd993ee582baed8a219b2ff606f5c1d055cd
SHA256691fd566ab054a217ad43b3f66f2de6e6aed4af688d1f75d0c14f63e2381c07c
SHA512e74f52f6bfee91f65c012dba79f70b91a4e3aefa76eb3b8708c2e4eca3e72422cef736c1af26e3c3861a6e235eabfce5c0c4900e0cd1cb164947de4e9e7ce93e