Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

240111-eq4laafbg6 7

10/01/2024, 02:48

240110-darq4scdbn 7

10/01/2024, 02:33

240110-c2bcrscbfl 7

10/01/2024, 02:10

240110-cls8msdaf5 1

10/01/2024, 01:31

240110-bxfw1scec5 1

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-es
  • resource tags

    arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    11/01/2024, 04:09

General

  • Target

    mal.zip

  • Size

    4.5MB

  • MD5

    15a36183a2d2c4a43f7f203548fbcb04

  • SHA1

    3ce2a3904eeef714abec465b55a0c20f6e47b079

  • SHA256

    ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

  • SHA512

    67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f

  • SSDEEP

    98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
    1⤵
      PID:1864
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2356
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:784
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 1C71F1C73CC2B2C0E9DB00CE3327AD51
          2⤵
          • Loads dropped DLL
          • Blocklisted process makes network request
          • Suspicious use of SetWindowsHookEx
          PID:1616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSI7916.tmp

        Filesize

        554KB

        MD5

        3b171ce087bb799aafcbbd93bab27f71

        SHA1

        7bd69efbc7797bdff5510830ca2cc817c8b86d08

        SHA256

        bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

        SHA512

        7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

      • C:\Windows\Installer\MSIA134.tmp

        Filesize

        1.3MB

        MD5

        6b7952f75226dbee67b821475293fcd8

        SHA1

        24b6101ab65b2676166aa5117eaa0aacd8c7442a

        SHA256

        7f5b7e6b865e4df50ee082520e0264124581f30681767b7051a168024389f53a

        SHA512

        678ca43275105200c127af34713569398e46853c40e4d420259d48d20ced8f11c0f183260faa1f17a8961074fab82c4ceb5a3dd1333d80f06a638683eef3009f

      • \Windows\Installer\MSIA134.tmp

        Filesize

        623KB

        MD5

        25845a7ef27d60301cfe4b74f72c3dac

        SHA1

        1b705544bc09da4adb2f9e78726ee6b2064c787c

        SHA256

        63653f890a72bd56e6f8ba9ee348db614c36f8808d15d4de7e543a1d5afa89e2

        SHA512

        6017850469aa0888ca6ab0fb887ec7c7e4cc5743794919069292bde845b3dc6ba5999284e93e9244fef48c9ea0d952b66fd02153615634b95f56cc8321fec753

      • memory/1616-21-0x0000000072C10000-0x0000000073767000-memory.dmp

        Filesize

        11.3MB