Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
06878532d9bc29f83b085018700f408b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
06878532d9bc29f83b085018700f408b.exe
Resource
win10v2004-20231215-en
General
-
Target
06878532d9bc29f83b085018700f408b.exe
-
Size
289KB
-
MD5
06878532d9bc29f83b085018700f408b
-
SHA1
ce6456855868264d0847cc0f3d85d261c196e064
-
SHA256
bef40642a079f003a4f781cca2e276025f0d5627c240480489ab9dc4b86a271c
-
SHA512
0bacae3d7838b5e28ecee1c7153376a05ee93931899191cea71f53c5a572ccaa452aad1d5907a94604319602327237a853cd477447f5fdcdff52a3317b0fe348
-
SSDEEP
6144:jjLei4XUPyBKd6q5UfixpWzT7sNPwocpHkaVRo7/A4sTOH:jOQPMO6q5SiQ/sIoclznX466
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 MediaXCodec(3).exe -
Loads dropped DLL 2 IoCs
pid Process 1072 06878532d9bc29f83b085018700f408b.exe 1072 06878532d9bc29f83b085018700f408b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06878532d9bc29f83b085018700f408b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Player.exe" MediaXCodec(3).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1072 wrote to memory of 2108 1072 06878532d9bc29f83b085018700f408b.exe 15 PID 1072 wrote to memory of 2108 1072 06878532d9bc29f83b085018700f408b.exe 15 PID 1072 wrote to memory of 2108 1072 06878532d9bc29f83b085018700f408b.exe 15 PID 1072 wrote to memory of 2108 1072 06878532d9bc29f83b085018700f408b.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\06878532d9bc29f83b085018700f408b.exe"C:\Users\Admin\AppData\Local\Temp\06878532d9bc29f83b085018700f408b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MediaXCodec(3).exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MediaXCodec(3).exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57e9775a6a5b6fdcd67165b9db5175922
SHA1ee8d280fe54addc1729f8621a7257f4900dbbd05
SHA256e06c5d7067196b93c4b43a71570a51a4d409002e2c1a64d35e30232892f2c3bc
SHA512c04482444da547c4121da1f46a2b2f353e352ddd4fef2e631402b34176fcc06def0a9dd5a8cf02d137d820b9d29239c6fbfc16d4f941bcd22940a3e0b653e790
-
Filesize
1KB
MD55846e6c1be0eabc145ddb5f012223029
SHA11174b8de50fa189e96182ae1417888be08026db3
SHA256742c9e63f951b2348a57495ead4a0428a97faf64df5e315d86dc345fc46c48eb
SHA512b669e710cc1e0a17c89fa5f2cf588c643a4e7b911f02ef785255bd0413ff83b83f1b91c968d818ebd61a44cea072d87f43935fc77369034d4e5b779bc12335da