Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

07ce970f7c...a4.exe

windows7-x64

7

07ce970f7c...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07ce970f7c584e9ece86a07df4198ca4.exe

  • Size

    1.1MB

  • MD5

    07ce970f7c584e9ece86a07df4198ca4

  • SHA1

    8e63435eea731fb5191896aa17f91d0ff4110a8f

  • SHA256

    c28d1138b14e58c750896882c2832e4f2f7594c554eca20dc5fc454082fe1fa3

  • SHA512

    a641279c9f85499d43b0dfabb739fa216086fda26cdfcc330990bf217ffb18c862910cf05066456de935988974c9c74e5e241021eaf1e0d60c51c3f01b8eac63

  • SSDEEP

    24576:HAVgakfgrhMYPLgiRDo4DH+thd+hNd+37VbQtQCgwe/Qqs4ADmiff:HAtkYriH4Sl+hf+37VbQxJqs4Ais

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07ce970f7c584e9ece86a07df4198ca4.exe
    "C:\Users\Admin\AppData\Local\Temp\07ce970f7c584e9ece86a07df4198ca4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c \DelUS.bat
      2⤵
      • Deletes itself
      PID:560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\DelUS.bat
    Filesize

    200B

    MD5

    73bc07090954864957d9f0dbb4ccaad7

    SHA1

    f69c0f89f5c5c626b20d85eed8bb7784a886e378

    SHA256

    89b16b350bda5e3403cfc0ce9102879a96c453ac8fff43b5923dce075cebc008

    SHA512

    6943edf99eb5ce084d7b92eb2d7141217c545561a5aa1fc9b4dfe63c35ca50ab50f1a50f3e0c3a5e467e8231cd094e65359c8426b6838822338c5fe26d62da02

    Download Submit

  • \Program Files (x86)\ieguide_v3\niebar.dll
    Filesize

    238KB

    MD5

    6b8cf6d6540957481e69244fc679fe4e

    SHA1

    ed0a7007770e84439cc01661daeebda8c25b1264

    SHA256

    df32e6aec0f82c7ca7d908b1bc93854e41f3b8598c5b30ee46a58e25ff1ceeeb

    SHA512

    f2e114c96eea5b7b485332b20d03350dfea32fa83e7b326f94f49d79612238a7340bda91bfc0eac33f19877be77e7b6ef74c5977fc4426770d8a7d872c58e4d9

    Download Submit

  • \Program Files (x86)\ieguide_v3\niebho.dll
    Filesize

    260KB

    MD5

    a9edd749425b975acbe1594dfb986096

    SHA1

    30d1379a666eae50e0ddf2f87693190706dcc02f

    SHA256

    87f399d3a6d47a84564778eaced548937b983c164ffb57f8066f25af440ebbf5

    SHA512

    09cbea06cc7030315ac3342bc02e62d66ec1a8c9a84b92c39e5dd37cf9ef5e6648084aeb22dd83797c2af88dbedd87ad65237dabc5298d80860a06cd5a63ccf3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7C14.tmp\DLLWebCount.dll
    Filesize

    28KB

    MD5

    d825e4003d1697fd4bc45361e222746c

    SHA1

    e9d4b1073aac15d4dbb430471fcaea549e633d13

    SHA256

    c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

    SHA512

    7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7C14.tmp\FindProcDLL.dll
    Filesize

    31KB

    MD5

    83cd62eab980e3d64c131799608c8371

    SHA1

    5b57a6842a154997e31fab573c5754b358f5dd1c

    SHA256

    a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

    SHA512

    91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7C14.tmp\SelfDelete.dll
    Filesize

    24KB

    MD5

    7bf1bd7661385621c7908e36958f582e

    SHA1

    43242d7731c097e95fb96753c8262609ff929410

    SHA256

    c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

    SHA512

    8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

    Download Submit

  • memory/2420-14-0x0000000002420000-0x00000000024DE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2420-15-0x0000000000350000-0x0000000000352000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2420-19-0x00000000003E0000-0x00000000003E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2420-18-0x0000000002420000-0x00000000024CC000-memory.dmp

    Filesize

    688KB

    Download