Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 10:07

General

  • Target

    1561bf3b1ba0fa370abc5c2651498d64.exe

  • Size

    1.6MB

  • MD5

    1561bf3b1ba0fa370abc5c2651498d64

  • SHA1

    a6b8bb86cc655ac4652128e69ba2b4265cc337de

  • SHA256

    82947ca70f901c7d16e2d3053826e37ddff8847d21276374de19f542abc80136

  • SHA512

    cc5c9db484b1cdfdfe7153253982f0adcde18ff1c57666a8a7facf000ef74a34f16636521730572483c317975f62f3923c663e9f3a40d55d47a6cb04534a1db1

  • SSDEEP

    49152:yBeoax+3zbI9bi+DTfcakLz0DpO2ItHo+v1xK3oEe/JLcfgEfdDShcakLz0O:yBRc0o1DTfcakcDpO5I+v1xVnGfgMdDt

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe
    "C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe
      C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe" /TN Nnb8kaFf43a4 /F
        3⤵
        • Creates scheduled task(s)
        PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\2c3dIV.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN Nnb8kaFf43a4
          4⤵
            PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe

      Filesize

      1.2MB

      MD5

      ad424c677476a6d6bfdda7919040522c

      SHA1

      7f8418c8406604cb5c93661e7505d1a281b2ae92

      SHA256

      31a73fe360ad90f5fb750cea300cfc86e3fa2e6215b5b7d89604c7a3ce16eab1

      SHA512

      263301be360b36d791ec2c421698193180670bdce65ecae4248df505b8973a19ff3773166926ce2b0c6213347c6df85e967adaa2c77a46b921c961885596ee19

    • C:\Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe

      Filesize

      1.3MB

      MD5

      bb66c3a5ad0fe6e31bed8efb348fe91c

      SHA1

      85d70b6474be7e18358a238ad663947c97277ee2

      SHA256

      7ea87cccf2e725bdb91fd4c8e0feb508f10ed18972c6395c62d2ae494d7212e2

      SHA512

      51d1a3766b07b0fce4636aefa175b58295824c7395527c6c9200732501a9840934eacd33cc113af7a92e5b2504d08bd368c1f2f8125d897f0e1f46d4f3b2d912

    • C:\Users\Admin\AppData\Local\Temp\2c3dIV.xml

      Filesize

      1KB

      MD5

      819957784ec7de1b38b0be683f17b9a3

      SHA1

      7a341c9645ef48f8ac078fb9e8c15348b3eb86ff

      SHA256

      58ef937799afaf36d2e7dec6874b2b98745c1060a239fd287d5394fa7a55ce8d

      SHA512

      7ff9c7ad935388292c600a32de8811f1cffb9593a22345dd030c2cfff3c10184a4e77fd6b1455dd22406810a57ca41a2e638e1d7e6eb250809f7d391f431b381

    • \Users\Admin\AppData\Local\Temp\1561bf3b1ba0fa370abc5c2651498d64.exe

      Filesize

      1.3MB

      MD5

      03c2cab42f78993ade4803b28d60edd5

      SHA1

      4d8658ebac3a7a2347c17f2175f1884c4869656b

      SHA256

      1284d7afa549aa2376170fcf37845b972c00a1e8c907d8201ddf206dcd205955

      SHA512

      61aff4cee60bb4c4c6a352c74de965c78004dbc6e1d5403a33cf4b6d8f3e30235191d7ff7a7fc9f84bf66e3204cc71a85504c88c49bbf983377e2f3b6f27f6ea

    • memory/2716-22-0x0000000022E00000-0x0000000022E7E000-memory.dmp

      Filesize

      504KB

    • memory/2716-20-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2716-27-0x0000000000280000-0x00000000002EB000-memory.dmp

      Filesize

      428KB

    • memory/2716-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2716-54-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2760-16-0x0000000023060000-0x00000000232BC000-memory.dmp

      Filesize

      2.4MB

    • memory/2760-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2760-2-0x0000000001660000-0x00000000016DE000-memory.dmp

      Filesize

      504KB

    • memory/2760-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2760-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2760-53-0x0000000023060000-0x00000000232BC000-memory.dmp

      Filesize

      2.4MB