Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
184s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
4eab4b1b1ceaa35db996ea96b6160547.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4eab4b1b1ceaa35db996ea96b6160547.exe
Resource
win10v2004-20231215-en
General
-
Target
4eab4b1b1ceaa35db996ea96b6160547.exe
-
Size
144KB
-
MD5
4eab4b1b1ceaa35db996ea96b6160547
-
SHA1
6578f62c208cf672e6cb0c65534ef9e02e54b0d4
-
SHA256
d7187c375741d1797d56cc53ad890f87e48b405aa8db6951b4cbefa804884797
-
SHA512
11a9b880943fef10b48230cb70c1525eb5c0ed64119b9e30e26deac210b10c138ed64ea5821ee7ab85e88152ab0d5cf10d8565e21e2e64c295a0acf8b2363512
-
SSDEEP
3072:K+3SNwtzid5DkjScvN4/OLYMH8uqSDGghke8KVrB:riNwZjSqN4PDuqSDGgqel7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2584 rotr.exe -
Loads dropped DLL 2 IoCs
pid Process 2832 4eab4b1b1ceaa35db996ea96b6160547.exe 2832 4eab4b1b1ceaa35db996ea96b6160547.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt ndrv" rotr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt ndrv" 4eab4b1b1ceaa35db996ea96b6160547.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\unue\rotr.exe 4eab4b1b1ceaa35db996ea96b6160547.exe File created C:\Program Files (x86)\unue\rotr.exe 4eab4b1b1ceaa35db996ea96b6160547.exe File opened for modification C:\Program Files (x86)\unue\rotr.exe rotr.exe File created C:\Program Files (x86)\unue\rotr.exe rotr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2584 2832 4eab4b1b1ceaa35db996ea96b6160547.exe 30 PID 2832 wrote to memory of 2584 2832 4eab4b1b1ceaa35db996ea96b6160547.exe 30 PID 2832 wrote to memory of 2584 2832 4eab4b1b1ceaa35db996ea96b6160547.exe 30 PID 2832 wrote to memory of 2584 2832 4eab4b1b1ceaa35db996ea96b6160547.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eab4b1b1ceaa35db996ea96b6160547.exe"C:\Users\Admin\AppData\Local\Temp\4eab4b1b1ceaa35db996ea96b6160547.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\unue\rotr.exe"C:\Program Files (x86)\unue\rotr.exe" -vt ndrv2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54eab4b1b1ceaa35db996ea96b6160547
SHA16578f62c208cf672e6cb0c65534ef9e02e54b0d4
SHA256d7187c375741d1797d56cc53ad890f87e48b405aa8db6951b4cbefa804884797
SHA51211a9b880943fef10b48230cb70c1525eb5c0ed64119b9e30e26deac210b10c138ed64ea5821ee7ab85e88152ab0d5cf10d8565e21e2e64c295a0acf8b2363512