Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 13:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
712af955d45e4cb10d26b4e27d58de3c.exe
Resource
win7-20231129-en
7 signatures
150 seconds
General
-
Target
712af955d45e4cb10d26b4e27d58de3c.exe
-
Size
324KB
-
MD5
712af955d45e4cb10d26b4e27d58de3c
-
SHA1
94eaaf79d768c90de818e04ca68d7da627138333
-
SHA256
c18328409dbffaf6825e65ec6a41091c7baa59c779f9dfa37647f98bd5000329
-
SHA512
a6a9f261d1f0e10d87a2f5fdd6f14f708a5cbc7347206b01b0bc2f9bce840471370a92c048193080b0a49687b3a8cdea4c222925201c911487983d0f4fd05c92
-
SSDEEP
6144:FqzanIDYbcdsx+GmlWzB+P+VZGrIorLaHo9b1q7kN8+Q:F5Z+GmlGhIIoKHoBBu+Q
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2760 StartUp.exe 2664 ctfmon.exe -
Loads dropped DLL 5 IoCs
pid Process 2940 712af955d45e4cb10d26b4e27d58de3c.exe 2940 712af955d45e4cb10d26b4e27d58de3c.exe 2760 StartUp.exe 2760 StartUp.exe 2664 ctfmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 712af955d45e4cb10d26b4e27d58de3c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll StartUp.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\inf StartUp.exe File created C:\Windows\inf\MyEgg.exe StartUp.exe File created C:\Windows\nAdin.com StartUp.exe File opened for modification C:\Windows\inf\ctfmon.exe StartUp.exe File opened for modification C:\Windows\inf\Ad32.exe StartUp.exe File opened for modification C:\Windows\inf\msvbvm60.dll 712af955d45e4cb10d26b4e27d58de3c.exe File created C:\Windows\ntpad.cmd ctfmon.exe File opened for modification C:\Windows\inf\ctfmon.exe ctfmon.exe File created C:\Windows\SYSTEM\msvbvm60.dll 712af955d45e4cb10d26b4e27d58de3c.exe File created C:\Windows\inf\ctfmon.exe StartUp.exe File opened for modification C:\Windows\SYSTEM\msvbvm60.dll 712af955d45e4cb10d26b4e27d58de3c.exe File created C:\Windows\inf\msvbvm60.dll 712af955d45e4cb10d26b4e27d58de3c.exe File opened for modification C:\Windows\inf\MyEgg.exe StartUp.exe File opened for modification C:\Windows\nAdin.com StartUp.exe File created C:\Windows\inf\Ad32.exe StartUp.exe File opened for modification C:\Windows\ntpad.cmd ctfmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2940 712af955d45e4cb10d26b4e27d58de3c.exe 2940 712af955d45e4cb10d26b4e27d58de3c.exe 2760 StartUp.exe 2760 StartUp.exe 2664 ctfmon.exe 2664 ctfmon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2760 2940 712af955d45e4cb10d26b4e27d58de3c.exe 17 PID 2940 wrote to memory of 2760 2940 712af955d45e4cb10d26b4e27d58de3c.exe 17 PID 2940 wrote to memory of 2760 2940 712af955d45e4cb10d26b4e27d58de3c.exe 17 PID 2940 wrote to memory of 2760 2940 712af955d45e4cb10d26b4e27d58de3c.exe 17 PID 2760 wrote to memory of 2664 2760 StartUp.exe 16 PID 2760 wrote to memory of 2664 2760 StartUp.exe 16 PID 2760 wrote to memory of 2664 2760 StartUp.exe 16 PID 2760 wrote to memory of 2664 2760 StartUp.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe"C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\inf\Ad32.exeC:\Windows\inf\Ad32.exe3⤵PID:1560
-
-
-
C:\Windows\inf\ctfmon.exeC:\Windows\inf\ctfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2664