Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 11:12

General

  • Target

    16db8a8242583743a29f612d7055b390.exe

  • Size

    24KB

  • MD5

    16db8a8242583743a29f612d7055b390

  • SHA1

    4e9dd0c3a451fb0fc672b6b0dafc1fa46931b06e

  • SHA256

    d2bc58131a12c9c55296c84310649e8037a92bab3fa1140b86fd457571a286f4

  • SHA512

    7328995cb0b62c1e926dca256eba58e2816e740c8d3a4713011afab146755494383f0ce02007a9956c434501b83be3451c9c1eba0b04c854294b391aad157e29

  • SSDEEP

    384:E3eVES+/xwGkRKJi/GSglM61qmTTMVF9/q5j/0:bGS+ZfbJTO8qYoAw

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16db8a8242583743a29f612d7055b390.exe
    "C:\Users\Admin\AppData\Local\Temp\16db8a8242583743a29f612d7055b390.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:2016
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat -an
        3⤵
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\SysWOW64\net.exe
        net start
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2988
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      1⤵
        PID:2660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log

        Filesize

        8KB

        MD5

        08f953595317535e35d9e8ef28a8091e

        SHA1

        d4305511b3d1691ff99fb827cbdf5bb281483e1d

        SHA256

        d58dbd83b701c50190ae2e7a31c5b2bcdc7a9e0c8b070a0f3d545b465a74b844

        SHA512

        ef532080a9eb5f7920affe221d1c08ed70b060d0aee7def280eaeb922b633daaab4bbbab8f54bc981652715dc0982cb059cddd466d9a9e9eadcb4fccdecf9ddc