Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 03:28

General

  • Target

    0cf5390295c3b5cd1e4d8fa29ec624aa.exe

  • Size

    271KB

  • MD5

    0cf5390295c3b5cd1e4d8fa29ec624aa

  • SHA1

    569323435ee0fdff12cb927a0583636591342846

  • SHA256

    3648ed90c126b451398fb10a2aaa053c21960c9a6451300f9dd9b84c973c2d58

  • SHA512

    33d285497e6880bbb9b5ac0f7abd0acb9997439f4eeacf4499406a0ee4828a7f42ae1384bb6ff765264985ddd094f5be76a657f3bd7591ff228610cc4e302043

  • SSDEEP

    6144:bUrqA3AheuswyPnDh4+AVx1OSu4u/mRMnxaHnb0sK5R2:bUWA3AheuswyLhDax8Snu/aMxKrl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe
    "C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe" o6 (Small).jpg
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1884
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2744
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2596
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2764
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1160
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSWINSCK.oca

    Filesize

    21KB

    MD5

    1c239f9c061f5c84874481d2c876bf80

    SHA1

    9d72e36fdc6569cd407af822c548c462227248cd

    SHA256

    9fd77d86e00a5bec45f3825d4f7c8965b6b9d54ec161c10d0c0d23e36493ab88

    SHA512

    cdc7ea38e32ffff5c5e617ec9d3306d64ca8eab44561146d9e1213d83afee80aa95f05b184374eb5356e552b40825b0f0bc260be0c1238579c6520fa1c80d5c8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSWINSCK.ocx

    Filesize

    92KB

    MD5

    cee3f0d67777d0f3af6afb902f076ee8

    SHA1

    aa0a06932aebaacff28b380d236af29e4b3d818e

    SHA256

    ff4efb994bd4492347d4014274ed8919c4cbb26fdb40563206dd97e349dde780

    SHA512

    592d1ef6e34465ebb0b70f4bf5ce11aa6c67bd3af46bac973b09f5bf85f6b0c8d48f18e6fad3906ef112b1be5be592d1e48b63863c92036dbbaec4aaad7edebb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe

    Filesize

    40KB

    MD5

    9e8de391f13042eaf1e3e0535cd2a0c2

    SHA1

    5f1557e5da87529718382ce2c6daae381b0fab25

    SHA256

    07660ac4b6a788014bb09130a53dc02fac545002b9d31ef13d811b29117d42a8

    SHA512

    f71a8a22cc099c940dee6e7e5a0eaa36cac8c60d39f167777283b5753f9b4a1f2c74b96f5161a703e16370bb98afe9ad73404408f0ab4f81fbcb6f58b3ac4544

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe

    Filesize

    56KB

    MD5

    18a6ce8b4b65d96cd25e5d9052f135d7

    SHA1

    aa17693a96a928069458facf79d5f2b9bd1b21f7

    SHA256

    4264386d61a9d6938f6ef76dd8bdd73f589b948e67b08d3334051429a3fffe1d

    SHA512

    8b9a269ac3984ff69b2bb7d0302ec288b208b76d3c190d0a3c07b03695a15f2648f0e322c6bfb82bdd36465e89ed47f87bf4a937dcdb20f4ed137f124de950cc

  • memory/1884-34-0x0000000002920000-0x0000000002922000-memory.dmp

    Filesize

    8KB

  • memory/2744-35-0x0000000000230000-0x0000000000232000-memory.dmp

    Filesize

    8KB