Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 15:50

General

  • Target

    7a4200f2f3c210f3a24927b5d6fb61e2.exe

  • Size

    87KB

  • MD5

    7a4200f2f3c210f3a24927b5d6fb61e2

  • SHA1

    f731e312af80f0cc6b73ae28b5431c83f52f8a37

  • SHA256

    75feb7e282987ce9f4a072b4c32ad2b3313cc65206fcb1a1e04ef7194709d4e8

  • SHA512

    aa03837c8d8ad68a5af0a5eb41148ffb0134113faf9cc92128f7d14892e5145713c690951920cf8312fdc0ab02f7535234c570b0f34a629d6e88dbdf14959d82

  • SSDEEP

    768:6x39TEu51YZP9euPoUPlLx39TEu51YZP9euPoUPlDOdQC+NaH9K7lgiJ2SR7mcd7:6bsP9evUPBbsP9evUPBOfin

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe
      "C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 116
    1⤵
    • Loads dropped DLL
    • Program crash
    PID:2772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 116
    1⤵
    • Program crash
    PID:2952
  • C:\Windows\SysWOW64\ntldr.exe
    "C:\Windows\SysWOW64\ntldr.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2712
  • C:\Windows\SysWOW64\ntldr.exe
    "C:\Windows\system32\ntldr.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1872-10-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-22-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-14-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1872-16-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-8-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-6-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-4-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-2-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1872-56-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2712-51-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2712-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB