Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3AMCAP.exe
windows7-x64
1AMCAP.exe
windows10-2004-x64
1SETUP.exe
windows7-x64
7SETUP.exe
windows10-2004-x64
7STILLCAP.exe
windows7-x64
1STILLCAP.exe
windows10-2004-x64
1USBVM31B.sys
windows7-x64
1USBVM31B.sys
windows10-2004-x64
1VM31BPRP.dll
windows7-x64
1VM31BPRP.dll
windows10-2004-x64
1VM31BSTI.dll
windows7-x64
1VM31BSTI.dll
windows10-2004-x64
1VM31BTWN.dll
windows7-x64
1VM31BTWN.dll
windows10-2004-x64
1VM31BTXP.dll
windows7-x64
1VM31BTXP.dll
windows10-2004-x64
1VMCAP.exe
windows7-x64
1VMCAP.exe
windows10-2004-x64
1VM_STI.exe
windows7-x64
1VM_STI.exe
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/01/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
AMCAP.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
AMCAP.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
SETUP.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
SETUP.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
STILLCAP.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
STILLCAP.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
USBVM31B.sys
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
USBVM31B.sys
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
VM31BPRP.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
VM31BPRP.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
VM31BSTI.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
VM31BSTI.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
VM31BTWN.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
VM31BTWN.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
VM31BTXP.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
VM31BTXP.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
VMCAP.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
VMCAP.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
VM_STI.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
VM_STI.exe
Resource
win10v2004-20231215-en
General
-
Target
SETUP.exe
-
Size
1.9MB
-
MD5
3340bab1c2c7a13dd12e9376dcc5cdc5
-
SHA1
863ef53a424112eb4387f36c1c7a72910073354f
-
SHA256
b75ec66a93df2eff82d2feace99d7e1ad3972258eb5294c0aabb144a7c16851b
-
SHA512
81e4b755a18d9407382b36dd2fabdc759a55b59b23e9ca7ff46c9b16cbaaedbaf70887bad302ceba0e6c679006fb97f1e8dc2a76b9551427ea1198fb4c5a7ab4
-
SSDEEP
24576:mDdU+YdDjh2vZpRgebJB4Qf+8Q173lQVKjQ3Ouka5T7bVdgX5+GbQ50of0HlRLZo:0dwuFW8QdywPubv4p+8i0ofcpV3o
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2724 setup.exe 2584 setup.exe -
Loads dropped DLL 17 IoCs
pid Process 3060 SETUP.exe 2724 setup.exe 2724 setup.exe 2724 setup.exe 2724 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe 2584 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A16.tmp\temp.000 setup.exe File created C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A76.tmp\temp.000 setup.exe File created C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKe3AF6.tmp setup.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKe3AF6.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 3060 wrote to memory of 2724 3060 SETUP.exe 28 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29 PID 2724 wrote to memory of 2584 2724 setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\SETUP.exe"C:\Users\Admin\AppData\Local\Temp\SETUP.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe"C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe-deleter3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5a940efe6112ccd043e137096444f4134
SHA1f8ec6cbf8ebb9895b714b10972a843b01a1a3103
SHA25662ddcd0de32e686d178aeaa9068298c52a6df19949bcb972af047ac69362dec0
SHA51214b0ad1943843439be49673e0a1b3e183d417c82ebbad437f8139e51ad99e279f2af0ccddca1d5e7c5dfee5b08be83c9b00879ff7fd8c89c6d73a6fbbec3a583
-
Filesize
264KB
MD57f0e7fc1dc4b20bab20497d670761c6e
SHA116f2795a58ffb8481e1258d6e4e026bff56c9d90
SHA2565a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6
SHA512c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3
-
Filesize
152KB
MD5028076a4fbf8fa58f18a60e3a5240e0a
SHA1e88dbf4140ea02b812794158defd9518cbaae76b
SHA256594820df4a61a930bcbbea6681361b173334ff925e4bcad138d48aaa36bc3b8d
SHA512698178f9eb18ba9ae7d72168dbf3f803231aff16b2ac3d857105a55439e5ed5ed9190c384a3d5b430a00a87ab7a2ad31120bb9b39569ac6587f46137a0c23d7f
-
Filesize
17KB
MD5b38d0856b2a6026566e6a23fbf343fc7
SHA152b5d7161ba96b7e24f1ebd18894917774fe9ab4
SHA2563689ff8282e5bc43006e9611e560099c54cb46600febb8d69fdce185f468679f
SHA512bc340ca591e1484c4eecf52f8bb05c09f33cb251447256f29b1a2d1c85067e3049707f3a81c27de8ffbf82acc52419d94f09498f8ec84123b615c97dd067e68f
-
Filesize
612KB
MD5f4b396937c1ee88d79ecd3f9cabef13a
SHA15e79d2fae612ef6e80a1ca7498afb96b2fd039cd
SHA256e348a5fc37f12dba2e444029d9883d07157fe644bdef53d06efd69a65df6b4dd
SHA51271e3ad0b270908ff696ec36e61618f15bda6079766443fa5b82324feb5a650d8ba162b32f96986ff0cc9e3b1c63eb7e9ade41bc7bbd776eca982dde4dfd91ce6
-
Filesize
386KB
MD5feebebfdb673bba2beca3f83263faaa3
SHA16cf32a42b95b3497f2731f2b22136dea9ba69489
SHA2567a81f54a1f3f087fc2a3d7c25898744a59f189572c979bb8a811a1eb09eec00d
SHA512f0fc304ad3e69ff013f8a1c8f249a5d6190fc76ea257d4ec7512ef490ce572ca16b2005665361aff59f9968e09c96edc143cf862cb6c194c40b39d528f68b707
-
Filesize
326KB
MD5b957e3c1f4781fb85d25e56dcad80d21
SHA171a116100ce724ddea6e81bf278b664bace6f14f
SHA256fd4199c6c2156c6bcef909d3f62b23868d7499498311d32ff02302f6aaed9aa7
SHA512f5ea6a11ad27a68913f22a775df8493e0f75cbfd3ed5020ed3c00b73d5c504e17182ed283793ccc8381d4bc72f1f9cb6448ee1b6b2411945b42ce9a49a47a8ad
-
Filesize
375B
MD5c83cfde39970d14b22b79c72492bd2c1
SHA19c032dd523a98167b208ab39e66f41b0a33e6d3f
SHA2562f006908a19dd73e72e6ba1507e04b6d346c129a1811a578c96fec19bcf0f59c
SHA51246a353e4f91100e4f3f32620df52906b55aa00aaaa2584d02bc9a54a8f9c752081a307feb5eb29e076943ed6a0ec5a96d4f612d3efa16301280912e39665b4d5
-
Filesize
1.6MB
MD524dbd11cb73bd757657782c8347ecae6
SHA1edef0194c57c35ae2b0423d030a0d93b784ea264
SHA2565dccb458c581198f7da3189894dfb85fa2a88d15dc54a679772261d5c3a39572
SHA512c32fa70b7e55553fd67feaaf436c4a242fec997b50cf876518512983eb92fed1a3893b04ada1f3ba2bf2640597a13545a274b4c4c30028e301cc930b9d18c929
-
Filesize
5KB
MD5cfaec980a3639a6b33704c0db20cb812
SHA1e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f
SHA25655023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c
SHA51272bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2
-
Filesize
145KB
MD5323bff0939ec825e28d947af65a5eda1
SHA119c8d64eab423beda776febdffb4fe07036757ff
SHA256cece9a446492277c62f3eddf049bc57504c5ab77554b7e25377d8e43c7f2c856
SHA512c62c2e6cc34abe5c618fc3ebea27566d6a7396ccaa753f07e7f2adb3ca404649a167f8a3f1108dfeb1fccf653c186bba0bc6b6e88ff59c1bc350a4e66c1cde18
-
Filesize
620KB
MD5734bfdc5269c9f5d3cb5c70c3b1fb7cd
SHA18430a0e5dc8d4b85ff107d176e8c8c9b3ac05dc7
SHA256cf45dc216ad13041c81911c9c1f5367e17a63e10bdf8065e6e2341cd5e114028
SHA512625014078f8924aed95d36f3e2276d6568c7d51b5b70865f5a85dc53d12bfc89547550e325cfddec909a678bcf41c79baeb4f12b090e5b2ac81d86918a3b5403
-
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A76.tmp\IGdi.dll
Filesize156KB
MD598098911f534ffb8b4b70101dc4ccf86
SHA122e40b9f75ad1e1b7340a86d8dc7ccb299e4212a
SHA256e7b19016e5a2b337728a31998c1a0b3f7a724a323025751c5fcaad6b52e3b31a
SHA512b35becbf4d9735b87fc67dbfeb316f4c9f0946fabf6341f950aa60a1766b3a102613e7fffde607f7ff5fd5fb6de56dacba52ac65be14e3c79be65d5a991f95b3
-
Filesize
95KB
MD5d92301094eedaab094578d63397c8b50
SHA1a4991b322310eaaa857f1a826a9120c37daba1fe
SHA256a807f2a847619f728590ab27c8ddfd15d406d08f1a0fb27e1d5ca92e3c247357
SHA512193369846b4fdfb99b80ad35345eea2df331959e68171eae6a7ad8c12cb9616a8e2d4191797eae82349d6890e45d729ad7160763d973898f2646d3563635e8b8