Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 10:00

General

  • Target

    48acc010b209323240e80238063b8164.exe

  • Size

    108KB

  • MD5

    48acc010b209323240e80238063b8164

  • SHA1

    db8c5fe801534cc103a5519a9389f82be4b028b7

  • SHA256

    eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0

  • SHA512

    467b6f80f5e80f911c7ab2002968d6b2300d040d8801272d695b0fbf0d565d5010351235b801b5f0094cb44976995e9edbaf8a55569349c7330a94a7137e608f

  • SSDEEP

    1536:mjLaMv3xnCwNz0DxkJ0PpKtzz0imm6g5ckJUD1LZ38hqiDsIxI9He2q0T6ow4U6:meYBCwqDxkJKpqjoOklZ4DzI02DHwa

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe
    "C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe" 48acc010b209323240e80238063b8164 /s
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Windows\system32\wintvt64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 292
          4⤵
          • Program crash
          PID:2120
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Windows\system32\szwtvt64.dll",StartByHostEx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hostA\A\a.sys

    Filesize

    12KB

    MD5

    f0ed35df7868e035ef4d24f4ed2275df

    SHA1

    0311ced9b0fc9d48cbca3c82a20e6a69ad634224

    SHA256

    c29aacebd737d8dc4a04ede748feb2015653e5be849df503116579be877c4a1f

    SHA512

    9996bcc542e42b44c77a0577710320330781499a82a75f1d2a485c12426e6662266f1cf350b899ed346509f3949e97734fdc0847703c41eeecc8c707200ccc2c

  • C:\Users\Admin\AppData\Local\Temp\hostA\A\staA.dll

    Filesize

    31KB

    MD5

    dc7a726988c0fd975c6289f4a10f7f4a

    SHA1

    6d1ac62e4cf452e750e8280e52a0289815a91fe0

    SHA256

    2590fbb815f0ff0ad462d97bc888ec444d3f96f33b8b9b03d3201d4c5d19117e

    SHA512

    282c052261341e0523a2424784b2fafa32250fce2b8bdc4a399bf52ddf3f3fe00a6f29b9098e8c3362cc073c7498a368ebf4b5c1725fbb195372c369afe7b7b3

  • C:\Users\Admin\AppData\Local\Temp\hostA\A\winA.dll

    Filesize

    32KB

    MD5

    4b9c0a72a21e2302499f9205691d4d97

    SHA1

    c832ead6f4e0e8850246072920ed05891d8adcfc

    SHA256

    7dea44ae86ac4217c78a6ce3a662dc74c26a5b7ed8dfcb381acb7f70629def40

    SHA512

    989ddca552974b919d892d3fb7b30ff252dac55e06a9f6dd173982537fb48ea581ba96f40d099f8f9149b294ff7444ba245f11deabf60ca2b65cf2199b049827

  • \Users\Admin\AppData\Local\Temp\hostA\Setup.exe

    Filesize

    44KB

    MD5

    662efb61c90b91e9bccc9b88c47b8514

    SHA1

    49bf37470ffe9ee5beb66a872212a533365d5b1b

    SHA256

    58bedb0c116624d77201fa0d6baf6211da9c7071ea239ce1e6040d1026f3005a

    SHA512

    4bf7e8634fcc8f153392d08704ce22f48720321d724a8efbd3c35be63d5c2842fca94163c1e156a03606c4ec6c801deaed5982ff7487b38c54b289a715511939

  • memory/1652-35-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

  • memory/2036-19-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2036-21-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2036-26-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2036-27-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2292-33-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

  • memory/2292-36-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

  • memory/2460-25-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB