Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 12:35

General

  • Target

    509274c5c973b5c330be82845b57663f.exe

  • Size

    63KB

  • MD5

    509274c5c973b5c330be82845b57663f

  • SHA1

    79cff899d88ff8307eeafbda87098f833f42fb8f

  • SHA256

    4b02e5922ab65a6bf04702ebf73b4c019227596c06eac51acc0847f8b01e54f6

  • SHA512

    22c5fd3d88b9016e5b041ffff25db5f015c4b98043c25a59350506afc92c86500e2efb0b7e2d5d3ed09b011b3f436a48acbb27f8167f7d1113f125ccd762b613

  • SSDEEP

    1536:VdryyfYwLQhueIbzRFIj9JdHQWplS7N1DKmxAMNd1D2IobgMW:TrD9LiFOzrIj9DHGh45MNd1KgM

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe
    "C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\jh.exe
      "C:\Windows\System32\jh.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c date 1983-10-19
        3⤵
          PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im 360tray.exe /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 360tray.exe /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im 360safe.exe /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 360safe.exe /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\SysWOW64\jh.exe

      Filesize

      9KB

      MD5

      23528fd2acbd57565ac391e769f11d0a

      SHA1

      3b1479c58db12f3cb60504909e55e6a960851a55

      SHA256

      f28c39eb7ee9be1c9cc5d84d7372ce601424462cebfd3359a2010152fa11abfe

      SHA512

      314ab22347402214b85f87c5fb918ac9b971e3e93fabfcb5aaf0fb8349309bf819145c18af03784d1264a26c9c84142d54cc2cafb7a1ea6c16d1f0a2456cc0b7

    • memory/1724-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1724-11-0x0000000002770000-0x0000000002780000-memory.dmp

      Filesize

      64KB

    • memory/1724-12-0x0000000002770000-0x0000000002787000-memory.dmp

      Filesize

      92KB

    • memory/1724-13-0x0000000002770000-0x0000000002787000-memory.dmp

      Filesize

      92KB

    • memory/1724-15-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1724-18-0x0000000002770000-0x0000000002787000-memory.dmp

      Filesize

      92KB

    • memory/1724-17-0x0000000002770000-0x0000000002780000-memory.dmp

      Filesize

      64KB

    • memory/1724-19-0x0000000002770000-0x0000000002787000-memory.dmp

      Filesize

      92KB

    • memory/2336-14-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/2336-16-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB