Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 19:22

General

  • Target

    01902ed02184df361f01e1d57012489b.exe

  • Size

    242KB

  • MD5

    01902ed02184df361f01e1d57012489b

  • SHA1

    03de274d683d18c90349fc5f4a3fb9072af62c0b

  • SHA256

    ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa

  • SHA512

    90a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5

  • SSDEEP

    6144:J1yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5WWjU:JQ8pQ96w+ns+GwoNnm

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\isass.exe
    C:\Windows\system32\isass.exe C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Modifies registry class
    PID:2752
  • C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe
    "C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\isass.exe

    Filesize

    92KB

    MD5

    55898b5a0ff7f8519160fcd04bcf54cc

    SHA1

    d3fcd65d59eeecbe97043df27736b7e7583778db

    SHA256

    8c7cf9466e35a0c36b74a00bbd70c7c45600dae4fadede80a401077c89408daf

    SHA512

    7e815409988b1158c36a706c398076f70ddf764e632527ee92e314b8c1d67f0cc911647575094ea2a2ff966fd430959bff2486296b0c62be2a3a621cc17c1f4b

  • C:\Windows\SysWOW64\isass.exe

    Filesize

    242KB

    MD5

    01902ed02184df361f01e1d57012489b

    SHA1

    03de274d683d18c90349fc5f4a3fb9072af62c0b

    SHA256

    ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa

    SHA512

    90a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5

  • memory/1680-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1680-12-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

  • memory/1680-13-0x00000000004A0000-0x0000000000533000-memory.dmp

    Filesize

    588KB

  • memory/1680-5-0x00000000004A0000-0x0000000000533000-memory.dmp

    Filesize

    588KB

  • memory/1680-0-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

  • memory/2752-15-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2752-14-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

  • memory/2752-17-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB