Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
59980a5a3472e8737e7a72f870061235.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
59980a5a3472e8737e7a72f870061235.exe
Resource
win10v2004-20231222-en
General
-
Target
59980a5a3472e8737e7a72f870061235.exe
-
Size
112KB
-
MD5
59980a5a3472e8737e7a72f870061235
-
SHA1
be0577e79663df03a2e5cf902f283029d0fd1940
-
SHA256
f584c54ae63e4dde92f8da1d098a0ff3f1c1dd263041e8d45fa88dc809bdfa19
-
SHA512
081543a783ce8b6081bd2c1747ee92cf20bdb6a802af77656d7a85cae59364fe90b78833284715f8aa659e5384c710b2ebd46e5fe2458a70b25e2e22e2ec68b9
-
SSDEEP
1536:RCyqWhBVC4LN0IqxxSWtn69X0CJDwXwlFoE4nO:0y7BVVLNbqxxTt69kKUMFoEt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2504 KartSvr.exe -
Loads dropped DLL 3 IoCs
pid Process 3040 59980a5a3472e8737e7a72f870061235.exe 3040 59980a5a3472e8737e7a72f870061235.exe 2504 KartSvr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KartSvr = "C:\\Windows\\system32\\KartSvr.exe" 59980a5a3472e8737e7a72f870061235.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\karnel32.dll 59980a5a3472e8737e7a72f870061235.exe File created C:\Windows\SysWOW64\KartSvr.exe 59980a5a3472e8737e7a72f870061235.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3040 59980a5a3472e8737e7a72f870061235.exe 3040 59980a5a3472e8737e7a72f870061235.exe 2504 KartSvr.exe 2504 KartSvr.exe 2504 KartSvr.exe 2504 KartSvr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2504 3040 59980a5a3472e8737e7a72f870061235.exe 28 PID 3040 wrote to memory of 2504 3040 59980a5a3472e8737e7a72f870061235.exe 28 PID 3040 wrote to memory of 2504 3040 59980a5a3472e8737e7a72f870061235.exe 28 PID 3040 wrote to memory of 2504 3040 59980a5a3472e8737e7a72f870061235.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\59980a5a3472e8737e7a72f870061235.exe"C:\Users\Admin\AppData\Local\Temp\59980a5a3472e8737e7a72f870061235.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\KartSvr.exe"C:\Windows\system32\KartSvr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD58d9047175ee6b511ce951a07621a54de
SHA14a7525c8cb7f89d4228e26504557baf714ee9dc6
SHA256984bf5c1a531ba1c0f55316383dd0b9b91f0661f350b90c96f60b311110de237
SHA512dc349e9ef53c927e7840d5aa91255a2e92d440c56bd4075af76eb002ec2dab2c01f5839dc3c9eb99be9e7e5db3ad6e40f6690f7180f764cd9e59bbb01bfc2fc8
-
Filesize
24KB
MD54fbfed4d1fdc5a71277f9df2be8385d5
SHA1314b0dc2da7d78cfb66312725b6380dfa100d295
SHA256a6eee971554e97fd03d0994e84ce73bed3093d7251acf8748f7f9091f1558007
SHA51282fb106024cdf58c4a5cc24e51c83c092e20978436c75b5c16171db60d2074b9bbf53a7b594d70f157477badf9a36c64bf1512ce87c3a4052cd933f094d5e0c4