Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 15:13

General

  • Target

    50e75dc2d5ace8a5669e347ed32c10dd.exe

  • Size

    384KB

  • MD5

    50e75dc2d5ace8a5669e347ed32c10dd

  • SHA1

    5e357ca218cf49f8b18c622ed77c59798ca23322

  • SHA256

    70b9b35e34c3a4ec1e946378c40e1d876920d638ec919ef2778e6047c1d5ad90

  • SHA512

    d0dc948471e976bfaf75be161a8283ee2fd49e2a48a90e87162e3477511631d27e27fd2740d0a5ee6ebb15995c0154e7b1216e3e57d38413f1d07b685bfe9754

  • SSDEEP

    6144:G59TOwr3GP/cSHBWOySe1jCrCzvfAL0OT+dgW/CkVgAtAt:G50QWvHBWOyHCrYfAL0OS6+uA+

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe
    "C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\ProgramData\eP10400OpDeK10400\eP10400OpDeK10400.exe
      "C:\ProgramData\eP10400OpDeK10400\eP10400OpDeK10400.exe" "C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\eP10400OpDeK10400\eP10400OpDeK10400

    Filesize

    192B

    MD5

    2f1182848789bd15becf8a3c2429ee64

    SHA1

    ff99b650db92951580c1f2aac6aef3a2ce391599

    SHA256

    149737854a1ba46c8d4edec522d59797669c8d174cf059da868cdf3b634b6e18

    SHA512

    5f003d9eb809f788198ce4c45e507e7d2b0ade80206ac5a59584e486b416e5daef2bfc3861ae8f99b5619d85c4c05c5e6f4cb573110cf8d610e62603a2e03566

  • \ProgramData\eP10400OpDeK10400\eP10400OpDeK10400.exe

    Filesize

    384KB

    MD5

    8662d2ab3dfb11be918721843edd1b01

    SHA1

    5d3e29f5e6c7f4c493592cea105dd26acd830361

    SHA256

    1061d0818bcc277166602a0defb07f6e8fdb27aa11d8a241ce081cbb52b92f19

    SHA512

    3b97e5aac180338a78ec981803061f875c2645f3d08a0dfb8a6c6b26efc1a4790e05b9121fae8d2fde1de8827430e9aa02e58dc2ea5388cad90e154943efbea7

  • memory/2000-0-0x0000000000330000-0x0000000000332000-memory.dmp

    Filesize

    8KB

  • memory/2000-6-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB

  • memory/2000-17-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB

  • memory/2092-23-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB

  • memory/2092-27-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB

  • memory/2092-36-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB