Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

42a0edbc63...ea.exe

windows7-x64

8

42a0edbc63...ea.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42a0edbc632435d049ae7d771eb6e2ea.exe

  • Size

    56KB

  • MD5

    42a0edbc632435d049ae7d771eb6e2ea

  • SHA1

    1db086391cff232fe0eea0970956a7092a96cec8

  • SHA256

    fec10378af7a07b910e9c343f04373fceb178f0a4557b4619005fb97c1d850e6

  • SHA512

    204b260dba2428cda723339526f4b0eb9ee19998fa50669e2092c3c96bdaab0b01c6fc3aaee2542419b90354e01613ed1ce36e42d630e575c47cbb5337092605

  • SSDEEP

    768:5c/p2YuNl3bIp+eMMqoZIUGBF99l5C+UPivppyeOI8tIKGwkdw:nNl3Mp+eMpfBF99fCkvZ8tIEz

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:496
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Suspicious behavior: LoadsDriver
      PID:480
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
        2⤵
          PID:824
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            3⤵
              PID:1156
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k NetworkService
            2⤵
              PID:284
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:1580
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:1688
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1164
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    2⤵
                      PID:1072
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:1056
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:976
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          2⤵
                            PID:864
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:764
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:688
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:608
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:436
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:400
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:388
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:504
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:340
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\DllHost.exe
                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                            1⤵
                                              PID:2196
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1208
                                                • C:\Users\Admin\AppData\Local\Temp\42a0edbc632435d049ae7d771eb6e2ea.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\42a0edbc632435d049ae7d771eb6e2ea.exe"
                                                  2⤵
                                                  • Drops file in Drivers directory
                                                  • Loads dropped DLL
                                                  • Drops file in System32 directory
                                                  • Drops file in Windows directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2428
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\42a0edbc632435d049ae7d771eb6e2ea.exe"
                                                    3⤵
                                                    • Deletes itself
                                                    PID:1608

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • \Users\Admin\AppData\Local\Temp\tmp1343.tmp
                                                Filesize

                                                12KB

                                                MD5

                                                ef3315129b08b57fa29873cb61708049

                                                SHA1

                                                852a3f8f89d0bd2ccb67714c200564bf759d9d1d

                                                SHA256

                                                742cbdb4b85efe9a972f2614204827afe4539e930152a9dd80bec48b2d4fb26a

                                                SHA512

                                                38c81518889d8e2a596aa137c019b2c6707da61512850fc1b7225b0ab88375ea2b194b3673880160a382eb12067d521c9eb0a68810156d76f08e994681255c93

                                                Download Submit

                                              • memory/260-9-0x0000000000110000-0x0000000000111000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/400-22-0x0000000000400000-0x0000000000401000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/2428-10-0x0000000010000000-0x0000000010028000-memory.dmp

                                                Filesize

                                                160KB

                                                Download

                                              • memory/2428-86-0x0000000010000000-0x0000000010028000-memory.dmp

                                                Filesize

                                                160KB

                                                Download