Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

240111-eq4laafbg6 7

10/01/2024, 02:48

240110-darq4scdbn 7

10/01/2024, 02:33

240110-c2bcrscbfl 7

10/01/2024, 02:10

240110-cls8msdaf5 1

10/01/2024, 01:31

240110-bxfw1scec5 1

Analysis

  • max time kernel
    225s
  • max time network
    221s
  • platform
    windows7_x64
  • resource
    win7-20231215-es
  • resource tags

    arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    11/01/2024, 04:17

General

  • Target

    mal.zip

  • Size

    4.5MB

  • MD5

    15a36183a2d2c4a43f7f203548fbcb04

  • SHA1

    3ce2a3904eeef714abec465b55a0c20f6e47b079

  • SHA256

    ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

  • SHA512

    67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f

  • SSDEEP

    98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
    1⤵
      PID:2472
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2796
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2648
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding C7512015DC8EE1B72498F127DE0071BA
          2⤵
          • Loads dropped DLL
          • Blocklisted process makes network request
          • Suspicious use of SetWindowsHookEx
          PID:2992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSIAAA1.tmp

        Filesize

        554KB

        MD5

        3b171ce087bb799aafcbbd93bab27f71

        SHA1

        7bd69efbc7797bdff5510830ca2cc817c8b86d08

        SHA256

        bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

        SHA512

        7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

      • C:\Windows\Installer\MSICD81.tmp

        Filesize

        1.5MB

        MD5

        0fe8a187f05057815daa5b753259693d

        SHA1

        565ddd946b6d9a5125cc0493931aa658824652bb

        SHA256

        a0c545392c7498f213c0cb4eaf9fb65611aabd06f1d69e2ca9b9e4b9f466cf5a

        SHA512

        57bcb97dee0019191148feb8e4f8bd796e350734e3bcc47e511d79a25086d312b7bc1cb887654f31e14368308128354255b654d6bdb330a6c4af86f434ab3648

      • \Windows\Installer\MSICD81.tmp

        Filesize

        862KB

        MD5

        9a4ef4d1ad0c94a170f694426d92606f

        SHA1

        737b357f5e7482bb42c271dc2c20aadeb1f66294

        SHA256

        c1427d4ad9f5bf9a57136746125aa5c125d470181b7d8005787be1cfb6f17310

        SHA512

        c7a59d3f5b76eb817a567b0825e9a8447b741cca26599841417535a458c910188749d1991d7c7b26c80e4719b564f79baa09a7166c8cea536051da561e25ccca

      • memory/2992-21-0x0000000072630000-0x0000000073187000-memory.dmp

        Filesize

        11.3MB