Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 22:33

General

  • Target

    05b61e1ecdeef855125b966e0ce02f54.exe

  • Size

    3.0MB

  • MD5

    05b61e1ecdeef855125b966e0ce02f54

  • SHA1

    21b81dd98421d0e060dfa68c7edd4829126cd936

  • SHA256

    2c8582895c86201aa9f95178e45f7a5d5d4bbe4cba3d35cddbb1219d3169903b

  • SHA512

    ffc74de2ffebf7057b1cf0eb886ee476ec12be0b8508b23124788a39ea9b3f1df839161a5413b4f5f2b170e063e2f9e3d5ec357296713100a4bf7414f77badbc

  • SSDEEP

    49152:cx0py9HwcakLhukrCZ6T6GfUstcakLc2QTl/UD0b3NAzYGcakLhukrCZ6T6GfUsI:cx3pwcakl1rCZ+6GfUstcakY2mlc4GYk

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
    "C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
      C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe" /TN Nnb8kaFf43a4 /F
        3⤵
        • Creates scheduled task(s)
        PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\7m498.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN Nnb8kaFf43a4
          4⤵
            PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe

      Filesize

      359KB

      MD5

      87f848504046d20be653e062ebd657c9

      SHA1

      29e9e1a2e7f2e0c0236b939eccfd1a48ca14aa3f

      SHA256

      67f25ac26eef424db8b8db584f625ef9b10f8ebcdc4d2dacdb189825c1177d41

      SHA512

      160dfb0c2ebcd5868a82e99e6579a507d8947596ba4365e7f2d7d691fcd174b3e57d5589c4c9fb61935f1f4dbef111bd82d7b3f80ea9a230b48c7de28419aa11

    • C:\Users\Admin\AppData\Local\Temp\7m498.xml

      Filesize

      1KB

      MD5

      80a3688a8acb6249ad4604691531248e

      SHA1

      ec960fb659392255f47d73804f767c11028c041a

      SHA256

      73ee32732abdb681ed14667397420198c744f76412132c3e7fc5bb34f0898d25

      SHA512

      fd04e43c86776df9e1c2fa117a25cf628eabbb79796971a9c7bd126ef0e287153255660c0639dfb71dc9b7ae0e59f79a1fa4d1e6e8573df30e564ce8d3a6ed88

    • \Users\Admin\AppData\Local\Temp\05b61e1ecdeef855125b966e0ce02f54.exe

      Filesize

      486KB

      MD5

      86486ff683b2e756b416f69e7e06ed0a

      SHA1

      d732eb2e8883b48fc04cbb9ff36e872fda54d09a

      SHA256

      a7ef46b95778530bc4ce91ac25001ed42f530db0be2d73651a4b47b6e3ae7d73

      SHA512

      7b750aa65d24849b80af72ecea01dd7a5228879717448cb231b453128c4e4cef683621d27417b4a504bfbdda3419e6e9ac6abf65eaa0c95b6cdd03475f567955

    • memory/2728-28-0x00000000002B0000-0x000000000031B000-memory.dmp

      Filesize

      428KB

    • memory/2728-20-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2728-22-0x00000000001B0000-0x000000000022E000-memory.dmp

      Filesize

      504KB

    • memory/2728-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2728-32-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2756-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2756-16-0x00000000235C0000-0x000000002381C000-memory.dmp

      Filesize

      2.4MB

    • memory/2756-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2756-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2756-2-0x0000000000240000-0x00000000002BE000-memory.dmp

      Filesize

      504KB