Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
4305f76c08cdeaa949c7f4efc418f9a2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4305f76c08cdeaa949c7f4efc418f9a2.exe
Resource
win10v2004-20231215-en
General
-
Target
4305f76c08cdeaa949c7f4efc418f9a2.exe
-
Size
685KB
-
MD5
4305f76c08cdeaa949c7f4efc418f9a2
-
SHA1
ad2879785e3bd63c4d46609a5404af7971c2d0b7
-
SHA256
7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960
-
SHA512
b79676b501ce80c4dda0e4e8361878a3299dfceda1e8ea0a6f675da4d6650209431fe6f27ae0ea043a4afe6bf703ba69bd440daa3e356725e56ffc7935322688
-
SSDEEP
12288:lrCx8y3OTknH5S+ycSWUAangtrJePiCmqbF3Z4mxxgCaQzwF:Xy3OTgH5FX8zZbQmXl7wF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2836 Server.exe 2632 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
pid Process 868 4305f76c08cdeaa949c7f4efc418f9a2.exe 868 4305f76c08cdeaa949c7f4efc418f9a2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4305f76c08cdeaa949c7f4efc418f9a2.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe Server.exe File opened for modification C:\Windows\Hacker.com.cn.exe Server.exe File created C:\Windows\uninstal.bat Server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2836 Server.exe Token: SeDebugPrivilege 2632 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2632 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 868 wrote to memory of 2836 868 4305f76c08cdeaa949c7f4efc418f9a2.exe 16 PID 868 wrote to memory of 2836 868 4305f76c08cdeaa949c7f4efc418f9a2.exe 16 PID 868 wrote to memory of 2836 868 4305f76c08cdeaa949c7f4efc418f9a2.exe 16 PID 868 wrote to memory of 2836 868 4305f76c08cdeaa949c7f4efc418f9a2.exe 16 PID 2632 wrote to memory of 2652 2632 Hacker.com.cn.exe 19 PID 2632 wrote to memory of 2652 2632 Hacker.com.cn.exe 19 PID 2632 wrote to memory of 2652 2632 Hacker.com.cn.exe 19 PID 2632 wrote to memory of 2652 2632 Hacker.com.cn.exe 19 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18 PID 2836 wrote to memory of 2664 2836 Server.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵PID:2664
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"1⤵PID:2652
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2632
-
C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5acd3d6b7e571aea36a0894cd31d8960c
SHA161b9303d64ed1087921bb60185ad8f55264dd29e
SHA256ed17bd488f06b316f2c752fc8213bb9c63cb9ab0e62215ba065ee799f4304775
SHA512623b4401e63cf7f5858c6b3912418d7f7a6703cfe907cd23b454430296faff9e814200f28c46e5f75a818574a8090b8131434cf140596cde5302adbfd4e6c519
-
Filesize
64KB
MD50d0ba42db85c8c97ff02117f16cf23e7
SHA1cdbe7a30d86f0c793fe4dd445242eb357a271d3b
SHA2568d5551cd72e8845ecd710da1af3c4cb0d2e5bf3b56596343cfe382306a260f73
SHA5124ce188926a0b64dddd2bf5dc821835baf7b7c1cbe29053b9f5728264e099fa669a263f7964d1f5c50e5dee445a87f4b1f87055abf7b205825d286376225c7ed2
-
Filesize
28KB
MD5e7107253b75ba91688392c2744fa983a
SHA1da61a78d2bfcf4899c74ae17f4a5c328eb00a30f
SHA256a3c04b247f411ce729a088ba92fb7807e93e52dae0267adf855f44eff12d4759
SHA512712c51bbbe5048a04abdc727a23a3b241f3819cff9860526caa4f6aa29fd90024f168f3ad2422740e02e05e4b438ccebeef2398605252ef2af05f1d7bee3cf84
-
Filesize
31KB
MD5ff373fa37314d015a7751f78dc17d532
SHA1212fad5faed1e2ed8513526d7799d7486c2f0ee8
SHA2565b031a7a9c3c243b166a52c841201025f9dab0ac1cabe165a00ed8daad8dc274
SHA512e055016475a16f232701d83764909e8b6d7e97d42fb64b3afb6bad72e9f2d2d5dc70fb1eb572348a475c3ad1744377288067929a7a0983bce86fc1fe6254dc47
-
Filesize
17KB
MD5e32ed57962d89f4be67ef6229f51ac62
SHA12de7d5bb1b329e5dd9df700a19d4da33ed4819ba
SHA256ea0802429cdc5006b404f2eac67bab65eafe4b986d850eb94bfb8575c190bc82
SHA51207d86c464c1cd698ffa2cbe9eb9a6b2e9c0ec6c995331f3578dfdc06c8f0d0eea9033c377f4447ac1344d5a290a3412f4c64ab30d38c9e9749ab9106d0c89283
-
Filesize
160B
MD569e01c599950b5caf5cd7ec972f89682
SHA12d34ceced77c1f86417c00f706e06cc902b11e3b
SHA256b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e
SHA51248acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9
-
Filesize
120KB
MD53a15e1126f040c91ee623381890acd88
SHA14766d7853318bcd1630fb9d537d0f1fe440818db
SHA25614e2834f7d184542bcb9dafe1377d5ebf47810de4f25e5e87ad0d1f005c47a85
SHA512093fc9537f7028a9814980e7d1f98feb5085058043fda4571507e67f55d5af04e01285c7d576fee537c18d8b89e05fac695d39e5352408671795c7c53bc4affb
-
Filesize
92KB
MD575ec3ea5880362fe2a3963ca34231432
SHA198aa4ec3daf400b5470ad0c54d3e226b82d93f03
SHA256ea1b7a0a8a541be9b3a21e3112ea20f3229ff75b48fa1bf608314c956e92921a
SHA512284178d3c6757b6fb970ea3e41b126d8eb552f5009d9a4eae8b9aafb923d4f951c4e3197b20ac23ef37aea6cfbddb499a3ef4fd84362b740091ff10c46d27df7