Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3ba924bf3e...28.exe

windows7-x64

7

3ba924bf3e...28.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ba924bf3e0820ef470658bad678a428.exe

  • Size

    109KB

  • MD5

    3ba924bf3e0820ef470658bad678a428

  • SHA1

    e9b231a0e3ece9067d56dff0fd980e10ed94c4d5

  • SHA256

    c3f12d98540dd9fc3bd975e7e324c29fc6794bac69c2997dc4152d59c70a5d7f

  • SHA512

    733f2471e1b09ad4d821b1329cbc591f5a780152ee2e7eff435a324c5b9af1d779a44c8d7e8ca957136e262a47cc8f029c2156f8579b695b1553eb2252ed2378

  • SSDEEP

    3072:I9amc9x9gOkBX7BeQRPdxP3nTOaVLfBQ9puHI/x3u:Ik8Ok51eQRPPPzD7HI/Bu

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ba924bf3e0820ef470658bad678a428.exe
    "C:\Users\Admin\AppData\Local\Temp\3ba924bf3e0820ef470658bad678a428.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c delplme.bat
      2⤵
      • Deletes itself
      PID:940
  • C:\Windows\avp.exe
    C:\Windows\avp.exe
    1⤵
    • Executes dropped EXE
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2504-21-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-23-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-29-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-16-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-17-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-18-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-28-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-19-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-27-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-20-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-24-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-25-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2504-26-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3032-0-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/3032-3-0x0000000000370000-0x00000000003B8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3032-15-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download