Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2024, 23:53

General

  • Target

    63f11d7bef9ed55da42911d406f91412.exe

  • Size

    3.9MB

  • MD5

    63f11d7bef9ed55da42911d406f91412

  • SHA1

    3e6a3d7fb598a18f2db9c965040a8b34e588fe3a

  • SHA256

    20d0a838a1bb70e9cb849f304b2831e1eba3e065ebe32677268fa821630cf7d2

  • SHA512

    385530dfe5c051783dcdbe26e3590f68385f5c2a680ed48ec016803be319f0db6504e61633799ed35cc6b30527c6722f445032396118b89434417f4c3154ae96

  • SSDEEP

    98304:rmWXJgrGm7+pUJcakcibiqhMbMgOn7n0bcakcibiqhxe64MhRirLccakcibiqhM:iCJgymkUJdlirybMgOnkdlir2LMbicdK

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe
    "C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe
      C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe" /TN m8v9k5kD0c8e /F
        3⤵
        • Creates scheduled task(s)
        PID:2868
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\NngVw.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN m8v9k5kD0c8e
          4⤵
            PID:2400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe

      Filesize

      3.0MB

      MD5

      865d682223c5272b7af5c16881c9de86

      SHA1

      90482056812e222da057bc52587db58cff08894e

      SHA256

      e5751c44f89a4f1d3d3094522ce60cfb07f051a43475010fe0a4259a1846b19c

      SHA512

      609be8bb807ddabd70369d5480b2f9517f55dc49f828d7f71914778141abae653385b50b2f4e12595a0f1aa1800bd9a119b7611b23186f17402d1d8da8781aa4

    • C:\Users\Admin\AppData\Local\Temp\NngVw.xml

      Filesize

      1KB

      MD5

      da3b1adb741213d51bfabc1520b69c40

      SHA1

      711e5bbb30eac955a3e3970c6d7cc75a66fa6843

      SHA256

      ba186d4486ceb28a8745702a21fafc1a7da0b762e6cfb6cea6e66e6223c6f40e

      SHA512

      1cce383cf8f5d639519040c2d5b9fb785f28422264fb49d819cae28fea92aace58a62c93deb6d341b9678f8e0a3484ec9a37a0df5e1abe5cf40adac09b99c46d

    • \Users\Admin\AppData\Local\Temp\63f11d7bef9ed55da42911d406f91412.exe

      Filesize

      2.1MB

      MD5

      009128ff55a8c9ab2a9a5a4ec8097948

      SHA1

      bf770c59cd21d401f1fcdcd70d6f72c1e4a65f68

      SHA256

      1068028d779347cd3e79670881ba17c941020dddbc033e6e3a7eba712cbbddbc

      SHA512

      e5fd36bd79c6320817684a24daf56fcc9be59a65d0f31e4db1f5cfe96d3d86b7c0d46969b4fe2aadcde9df950acf4914f62945d0c012a53cdf0a464510b48f1d

    • memory/2180-19-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2180-21-0x0000000000370000-0x00000000003EE000-memory.dmp

      Filesize

      504KB

    • memory/2180-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2180-30-0x0000000000470000-0x00000000004DB000-memory.dmp

      Filesize

      428KB

    • memory/2180-54-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2528-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2528-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2528-16-0x0000000023610000-0x000000002386C000-memory.dmp

      Filesize

      2.4MB

    • memory/2528-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2528-2-0x0000000001660000-0x00000000016DE000-memory.dmp

      Filesize

      504KB