Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 04:36

General

  • Target

    Driver/install_driver.exe

  • Size

    622KB

  • MD5

    66519e67c90c3f2b86ee443e3b41415f

  • SHA1

    a09a2fbf06fefe6dfd85fc4c69008ade42b432c9

  • SHA256

    958d60178914ac74e36c4218279eec2b18760bab0ab97e7fed18005a691a4ba6

  • SHA512

    5dce8fc0404b539862d16db51c35b0bb70d6db0877046a6903ba83ae65e11c185eab100e73e1bf7972d420723710e5d76af94c3ad3de50452b8034e678c7cac4

  • SSDEEP

    12288:byfUVjJQKXxXjjAZkU5UUXiy8Xtd9AsyG5/tAp3fLO6EwgbA6:byU82bU/Xiy8ZFAp3fLOH

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Driver\install_driver.exe
    "C:\Users\Admin\AppData\Local\Temp\Driver\install_driver.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\Driver\installdrv64.exe
      installdrv64.exe UpdateDriverForPlugAndPlayDevices USB\Vid_0e8d&Pid_0003 "C:\Users\Admin\AppData\Local\Temp\Driver\Win7\usb2ser_Win764.inf"
      2⤵
      • Drops file in Windows directory
      PID:3044
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{21e238fa-7a52-103c-2bfe-27316af9c919}\usb2ser_Win764.inf" "9" "6fdf53997" "00000000000003C8" "WinSta0\Default" "000000000000058C" "208" "C:\Users\Admin\AppData\Local\Temp\Driver\Win7"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{0e66504b-bc6f-19be-0bd3-483311f1a329} Global\{4422cd6b-e5bc-0e9d-bea8-fc6bf628e164} C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\usb2ser_Win764.inf
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344A.tmp

    Filesize

    25KB

    MD5

    49106ee29074e6a3d3ac9e24c6d791d8

    SHA1

    54b690cfd6b81b556239bc6409c408d26d9fafc6

    SHA256

    b96b19a92e720f284741f8a2dcb30a9423ad58ba8f795d4f2e30403ceef20099

    SHA512

    e6737b08ee1bdfcce4b59a02fa53507f894c8bc285e71e4fe8130e0046ff098847a245b1299f3f6120fa8ec54a53bb531f999eb6043aaaf4e499b97a8ac87a69

  • C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344B.tmp

    Filesize

    3KB

    MD5

    bccc7e837e3c0105830295b7a772d40f

    SHA1

    230e7173e5bd5631c78fd86d29602fe969805e9b

    SHA256

    e3063428ed325a2c570677182ffb9df3c0821a706cd9f754ea5150aeaa98ac2e

    SHA512

    eac0d13d56c83c9a1a492a79273a7952e00b2c631e77cd3a8895c496e8895d5f943521584aec10a8132ebb93f808539acf37ebf1da385ed336f8d3c9c7217122

  • memory/2736-16-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB