Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2024, 14:52

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    90ac8a759ee08383aae9e92c55550701

  • SHA1

    acb356c4b297f8072e744955a35b52ffb1f403d2

  • SHA256

    d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603

  • SHA512

    19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd

  • SSDEEP

    1536:h+IYW6qbkW8aVpO1ARkoojEwzGi1dDUDxgS:h+88aVpO2SCi1dqu

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\server.exe
      "C:\Windows\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    410c3c7c3e0376e2f9b228980b58d042

    SHA1

    3aec3fa12cd88edca90fdc72a0d25cd071dc2052

    SHA256

    5c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391

    SHA512

    2a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57

  • C:\Windows\server.exe

    Filesize

    93KB

    MD5

    90ac8a759ee08383aae9e92c55550701

    SHA1

    acb356c4b297f8072e744955a35b52ffb1f403d2

    SHA256

    d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603

    SHA512

    19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd

  • memory/2088-0-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2088-1-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2088-2-0x0000000000270000-0x00000000002B0000-memory.dmp

    Filesize

    256KB

  • memory/2088-13-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-14-0x0000000000090000-0x00000000000D0000-memory.dmp

    Filesize

    256KB

  • memory/2756-12-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-52-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-53-0x0000000000090000-0x00000000000D0000-memory.dmp

    Filesize

    256KB