Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    7s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 12:40

General

  • Target

    40e2fe16444b41a74b756c9ddf46bd53.exe

  • Size

    663KB

  • MD5

    40e2fe16444b41a74b756c9ddf46bd53

  • SHA1

    77e04dfc73b53d25b769d64b5f040e5e561ce3d3

  • SHA256

    0b155a50377bd5144b342230c6984d9752b7be5378fe14ad797aa48e9d4fc94c

  • SHA512

    225af8219ca3a06bbdb22a99093f55d5f1e2edee9fd3c396f088fd32464e2205c345c8eb996425616d0b8497379b7403a35fc6f358664493383f813a9e33c9fb

  • SSDEEP

    12288:mJe0oVDdvW4dIy5Uzhqzzq+42QkutA3TgWRGo74X8wvbPAsxxM0k1/tkBOAojc/B:qRo84dIAUzhqzzqF2duC3TgloMX5vxxB

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe
    "C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\web\printers\125.bat
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2292
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2584
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R +A +S +H c:\windows\web\printers
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2496
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\1.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2440
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2504
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\2.reg
        3⤵
        • Runs .reg file with regedit
        PID:2996
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\5.reg
        3⤵
        • Runs .reg file with regedit
        PID:1440
      • \??\c:\windows\dell\lsess.exe
        c:\windows\dell\lsess.exe
        3⤵
        • Executes dropped EXE
        PID:2124
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R d:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2696
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R f:\setprter
        3⤵
        • Views/modifies file attributes
        PID:3016
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R h:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2964
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R h:\~1
        3⤵
        • Views/modifies file attributes
        PID:3000
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R g:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2936
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R g:\~1
        3⤵
        • Views/modifies file attributes
        PID:3008
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R f:\~1
        3⤵
        • Views/modifies file attributes
        PID:2836
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R e:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2820
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R e:\~1
        3⤵
        • Views/modifies file attributes
        PID:2816
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R d:\~1
        3⤵
        • Views/modifies file attributes
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\11a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -H c:\ma.exe
        3⤵
        • Views/modifies file attributes
        PID:2776
  • C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    1⤵
    • Runs ping.exe
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Web\printers\125.bat

    Filesize

    1KB

    MD5

    1af018ff177dfbae562ac429cff786cb

    SHA1

    81f09865306d8c91d59bbec8a11ac874816f102c

    SHA256

    dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a

    SHA512

    a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22

  • C:\Windows\dell\lsess.exe

    Filesize

    92KB

    MD5

    d29c72915dd318b24909b5d56b78f98c

    SHA1

    494b91c4650758aec1992fc941d0bf864e0f3e9c

    SHA256

    308fd963f233af18d52860366cd5eba1083c737792ac0ff3122fe88168385cff

    SHA512

    c680fed9fb3e6a1118cbdb52c9c7384322cb9e5c5b525ebc51773ce13b3df97151d505a9f897bae420a0514101e28796c119970fe77e027403611a5f0fe2f466

  • C:\Windows\dell\lsess.exe

    Filesize

    381KB

    MD5

    ed59cd47ca16a8345bba9be3959e0de5

    SHA1

    47e9a173858d3773a68ad759de30ca0098fbc9ff

    SHA256

    c18e8d3ffcd56dcdb09f33fc820008794f3570afb74e76a3100f6a3c456a28bf

    SHA512

    fa6486b0e7e93d821d2feaf4a7f492d6d044d00e36bf05e1bc25db49df7526a76e20e4a2ce9b947d5ebbeb78ec62b9ae39ce50af4cf30544eac2e05993ea395d

  • \??\c:\Windows\Web\printers\1.reg

    Filesize

    45KB

    MD5

    4ad724ba8346d8556e6e884727c0523e

    SHA1

    b53e2ec83b5b8441667b980fe6a53d69987fca89

    SHA256

    48c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412

    SHA512

    fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3

  • \??\c:\windows\dell\lsess.txt

    Filesize

    99KB

    MD5

    2252b17e6ef56c39bfa75f97e3471570

    SHA1

    0d1516cb82c9adc9bb570000be12b849c7bdcf55

    SHA256

    9fd2ca5aadd16fecaebb4929d8cda96652147c36316a39ddcce0e92bd5eb4ebc

    SHA512

    6ac58688c8169ddba89458c0f3de1ba2e3727809beacb1e0a094db4985b1e21484ad23324085d19f2a107dbac3ef5f8fc6dd2c4f5c7202fd1be170060434927f

  • \??\c:\windows\web\printers\360s.txt

    Filesize

    2.2MB

    MD5

    0e7f4b97ddb5a938d6c18df6a656de21

    SHA1

    429f12411299723a52a7e912fd834b77830d7b86

    SHA256

    c378f6033bcd4cc5b8c73be2601b776706297b844110864dfd45269161e628c1

    SHA512

    008cb5d35f8476084b29b6f03d329c3ca1002a7b5fc82f6cc29ef29b86311833d2372aa8cc27835804b0248b9d3de37f61c9f24a37ff2d6a42eb3fb386a94633

  • \??\c:\windows\web\printers\usbhard.rar

    Filesize

    236KB

    MD5

    a0f784ad499c07a7b7c3a48fab5afd0b

    SHA1

    8194f876410f89d3e4cc9ad1f86c89d1138b0d6c

    SHA256

    89c23b96ac3837d3ee68ff0684f57e14cee8fc3ac3171d65c173ba6417411335

    SHA512

    a13b015ec263073ddd2aa5ad116f65f7ae38dc592d6fba9ab2fc3dc034c483d53077c83005b9214cecbf8201a5cd50baea33824136903c0604c5cf6ade2f39de

  • \??\c:\windows\web\printers\zzz.rar

    Filesize

    265KB

    MD5

    b6e7488813588c9f2d86d3f0f956fd42

    SHA1

    a61ba89c5b6a5962611680199667bb682a761074

    SHA256

    1e5e17c81e354de2172d1ab9b62a356b82037e3d64efda7b968ed07bbafc9742

    SHA512

    d33ebe2070d979a73cdf54e60bb6fe06bbfa25e906ddfbacac827378131922f53873bbb10856293f327e878364b16aea5097c49a03d86d3511351aaa79121b69

  • \Windows\Web\printers\rar.exe

    Filesize

    310KB

    MD5

    0a5680183c0089a64621e211917664d8

    SHA1

    8525d73c99e28413e97a094c99950e1806786246

    SHA256

    c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

    SHA512

    b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

  • \Windows\dell\lsess.exe

    Filesize

    382KB

    MD5

    1ee80266391ae68e21d33150a7f51f2f

    SHA1

    b01acf8c941921c39d17862f00acf1144e717124

    SHA256

    9304b5c55d8fe9cfa3d14480e36b88aa1e626f48117bf614954a2a75dbb728ab

    SHA512

    5b2f56ed5ea4308919664b71c5a4343751f7395a1f769be8a4245af03894544b8c0b86b2836d2b0306898b652e3356e42b14d8b92f148f38cfb5e268efccde08

  • memory/2124-87-0x0000000000400000-0x00000000004FC000-memory.dmp

    Filesize

    1008KB

  • memory/2292-86-0x0000000000440000-0x000000000053C000-memory.dmp

    Filesize

    1008KB

  • memory/2292-77-0x0000000000440000-0x000000000053C000-memory.dmp

    Filesize

    1008KB

  • memory/2504-66-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2584-55-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2940-0-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

  • memory/2940-88-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

  • memory/2940-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB