Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0967209acb...19.exe

windows7-x64

7

0967209acb...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0967209acb6af811572b6576a90abd19.exe

  • Size

    3.1MB

  • MD5

    0967209acb6af811572b6576a90abd19

  • SHA1

    a5385c87600986a612a03d26ea1e9ff37ffdcc31

  • SHA256

    e72d1282f30fed67d34ed0eb66169c20d3744ab2d2bc1361d178412a8801da60

  • SHA512

    208d5740902ba0ee1afdfee46d1445fc2edd0579d2c0e50a742121fee0b10a174ed3e32f7ddf9f6239a3398d1adc154015eaf56da2a174f3d4a2fd9cac7c6a46

  • SSDEEP

    98304:T6YGnLzxmAf4GxIAfxmYPirQZRLzxmAf4GxIAfxmYPG:TCxmAf4vAOr2xxmAf4vAK

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0967209acb6af811572b6576a90abd19.exe
    "C:\Users\Admin\AppData\Local\Temp\0967209acb6af811572b6576a90abd19.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start winnet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\CMD.exe
      "C:\Users\Admin\AppData\Local\Temp\CMD.exe" /C SET MXHOME=%cd%&SET MXBIN=%cd%&firedaemon -i winnet "%cd%" "%cd%\Winnet.exe" "Winnet.dll" Y 0 0 N Y>>debug.txt
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2488
  • C:\Users\Admin\AppData\Local\Temp\FireDaemon.EXE
    C:\Users\Admin\AppData\Local\Temp\FireDaemon.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 212
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2616
    • C:\Users\Admin\AppData\Local\Temp\Winnet.exe
      C:\Users\Admin\AppData\Local\Temp\Winnet.exe Winnet.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2812
  • C:\Users\Admin\AppData\Local\Temp\Winnet.exe
    C:\Users\Admin\AppData\Local\Temp\Winnet.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:808
  • C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start winnet
    1⤵
      PID:2112
    • C:\Users\Admin\AppData\Local\Temp\firedaemon.exe
      firedaemon -i winnet "C:\Users\Admin\AppData\Local\Temp" "C:\Users\Admin\AppData\Local\Temp\Winnet.exe" "Winnet.dll" Y 0 0 N Y
      1⤵
      • Executes dropped EXE
      PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/808-47-0x0000000061000000-0x0000000061162000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/808-44-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/1520-23-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

      Download

    • memory/2488-17-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2488-20-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2796-21-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2796-19-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2812-43-0x0000000018F20000-0x0000000018F79000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2812-51-0x0000000061000000-0x0000000061162000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2812-50-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2812-37-0x0000000061000000-0x0000000061162000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2812-33-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2824-48-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2824-25-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2824-30-0x0000000000580000-0x00000000005D9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2824-32-0x0000000000580000-0x00000000005D9000-memory.dmp

      Filesize

      356KB

      Download