Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

783032c39a...f0.exe

windows7-x64

10

783032c39a...f0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    219s
  • max time network
    289s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783032c39a1b128532724362efb6c9f0.exe

  • Size

    195KB

  • MD5

    783032c39a1b128532724362efb6c9f0

  • SHA1

    ce4d6f3554296bb48265fd245536a2ac527878d3

  • SHA256

    21b8c34f00e3e840e24f365946f6cfbb87d21ebb2d76c666644bc9cbf52084fd

  • SHA512

    199b3fa25d924f6539733c97c4bf800005e0468cdaf39ec25bbf12cf7d37d06ce0e6ed20b0db98efb803a045802c6e6716ac1b0ac0a8b5bf1a07477921dcaf50

  • SSDEEP

    3072:17fM5EWgd1mEwIEaSdkQzRLs9T7r5NOSqeXWZ+2sDOgLw8DlKLD7hSs:1fkEdr3wnPZEHfOSqGlBLxRiA

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 24 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:472
  • C:\Users\Admin\AppData\Local\Temp\783032c39a1b128532724362efb6c9f0.exe
    "C:\Users\Admin\AppData\Local\Temp\783032c39a1b128532724362efb6c9f0.exe"
    1⤵
    • Registers COM server for autorun
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      PID:2248
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \systemroot\Installer\{6367fb4b-b5c9-d074-f341-f311a16214c0}\@
      Filesize

      2KB

      MD5

      43604f0ef5e0e366faa088f5cb42fa44

      SHA1

      b1756f9efa1f3ccccab1fa2c82d8d324cddf35cb

      SHA256

      519b475307972bd12184e58b7bc89a23709314b3148decc83b2a4fcf70fb332b

      SHA512

      2001547b926aa9c2718d7a023d3946add364f713e24b5225e5b91ea01dac203f3dc859c078c5ea0f9a14c01300ed1da09c03fa0d550e38c9d33478f23b905a16

      Download Submit

    • memory/472-35-0x00000000000F0000-0x00000000000FF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/472-42-0x00000000000F0000-0x00000000000FF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/472-29-0x00000000000E0000-0x00000000000EF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/472-34-0x00000000000F0000-0x00000000000FF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/472-33-0x00000000000E0000-0x00000000000EF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-8-0x0000000002A30000-0x0000000002A3F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-19-0x0000000002A40000-0x0000000002A4F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-18-0x0000000002A40000-0x0000000002A4F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-17-0x0000000002A30000-0x0000000002A3F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-16-0x0000000002A10000-0x0000000002A1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1204-12-0x0000000002A30000-0x0000000002A3F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1204-5-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-20-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-21-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-1-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-4-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-0-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2852-36-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-38-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-2-0x0000000000230000-0x0000000000265000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-41-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-3-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2852-43-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2852-48-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download