Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 03:35

General

  • Target

    3bc834ab03c5c22969b41d8f0b5a6df3.exe

  • Size

    25KB

  • MD5

    3bc834ab03c5c22969b41d8f0b5a6df3

  • SHA1

    2bcf95871637ec2c9425a6e796228e2a816b55b5

  • SHA256

    2a4d4bd6ece66fb02ed93a3648f776a499c1066684982c7005dc0db89d4d66a9

  • SHA512

    37d15adcb74a3b3b55c50e4f3a8ccfc01d205e722a3449f32561a89f580132b4f2954148162d06536ef54ad491312cf03287acd42be226824e57519b76ee43b2

  • SSDEEP

    768:9Xr+c5rx86Lk4OC0W+adjB2m1OSTrksK3:96c5qEk4j0TadjKsK3

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bc834ab03c5c22969b41d8f0b5a6df3.exe
    "C:\Users\Admin\AppData\Local\Temp\3bc834ab03c5c22969b41d8f0b5a6df3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3BC834~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\A1A6BC2E.dll

    Filesize

    215KB

    MD5

    3d851a1dc083afac267caf165e196567

    SHA1

    2f92f6c185ecc6149cae90f9444a91d8c0b55631

    SHA256

    577e166f8d778d8a88b88e0ea05d884ff82493ee209868bb1ba9b889b5e66167

    SHA512

    b579885bf1680c823687f24b5018c5e3cf6c1388240e2858426b6acecb45720f95b79afb914768b8b4ca5f9a23c7a17cd1a6996fe229c2708991f3bbb53c99ed

  • memory/2260-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2260-2-0x0000000000460000-0x0000000000461000-memory.dmp

    Filesize

    4KB

  • memory/2260-10-0x0000000010000000-0x000000001000F000-memory.dmp

    Filesize

    60KB

  • memory/2260-11-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2260-12-0x0000000010000000-0x000000001000F000-memory.dmp

    Filesize

    60KB