Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    239s
  • max time network
    290s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 23:35

General

  • Target

    0719756f5bb4eae79bc8128a46fe2f4f.exe

  • Size

    28KB

  • MD5

    0719756f5bb4eae79bc8128a46fe2f4f

  • SHA1

    61c2f981b9534840c24a6af63e95b84359bc612e

  • SHA256

    61b6d78da9996b7268edfc3bc77f818c15b2b1120b7d2e5b3c3bf3554f315183

  • SHA512

    a795ae0e89a442c3cd45692ab2f9b1219c4ecf0023e6fce64e6b575c4d18f9717cd22dd51a229cbfdc871ad586af0fe448087ff0fa8f2054e7c1e65b9597c435

  • SSDEEP

    384:kCKbQGufI8mQ9KaonyCvNmp5pnoQVYAtK9pSvILoj6qJx++j+jp0pNpRTZ2n+x0G:k52LKzyqmJnHyAtKzCILCJg+jmivwne

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0719756f5bb4eae79bc8128a46fe2f4f.exe
    "C:\Users\Admin\AppData\Local\Temp\0719756f5bb4eae79bc8128a46fe2f4f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\SysWOW64\NTdHcP.exe
      C:\Windows\system32\NTdHcP.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1208
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\Deleteme.bat
      2⤵
      • Deletes itself
      PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Deleteme.bat

    Filesize

    184B

    MD5

    a844c857bac0b3b82f751a079eb88228

    SHA1

    2e9aa28e4901b54ce374121e93bdc4a23fb8f0d7

    SHA256

    b16a487376d09dd3b930fcdbf54a4c114ec47e2a63a1d21042ba6e07d4fdaa38

    SHA512

    06c960660c188e31ed17fef6c18f85bee06c47caac6e910ae4592cbf05f1dc51a12f2976543de802847215a0cd2269937bddda066b203db408522acd95626076

  • \Windows\SysWOW64\NTdHcP.exe

    Filesize

    28KB

    MD5

    0719756f5bb4eae79bc8128a46fe2f4f

    SHA1

    61c2f981b9534840c24a6af63e95b84359bc612e

    SHA256

    61b6d78da9996b7268edfc3bc77f818c15b2b1120b7d2e5b3c3bf3554f315183

    SHA512

    a795ae0e89a442c3cd45692ab2f9b1219c4ecf0023e6fce64e6b575c4d18f9717cd22dd51a229cbfdc871ad586af0fe448087ff0fa8f2054e7c1e65b9597c435

  • memory/672-0-0x0000000000400000-0x000000000041D200-memory.dmp

    Filesize

    116KB

  • memory/672-1-0x0000000000400000-0x000000000041D200-memory.dmp

    Filesize

    116KB

  • memory/672-5-0x0000000000220000-0x000000000023E000-memory.dmp

    Filesize

    120KB

  • memory/672-23-0x0000000000400000-0x000000000041D200-memory.dmp

    Filesize

    116KB

  • memory/1208-12-0x0000000000400000-0x000000000041D200-memory.dmp

    Filesize

    116KB

  • memory/1208-21-0x0000000000400000-0x000000000041D200-memory.dmp

    Filesize

    116KB