Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 19:57
Behavioral task
behavioral1
Sample
7ddd7f9c572b5694c60fbc003614b04e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ddd7f9c572b5694c60fbc003614b04e.exe
Resource
win10v2004-20231215-en
General
-
Target
7ddd7f9c572b5694c60fbc003614b04e.exe
-
Size
62KB
-
MD5
7ddd7f9c572b5694c60fbc003614b04e
-
SHA1
38eb2f33be1749271665ca0bf89a162154bbe2af
-
SHA256
0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
-
SHA512
cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a
-
SSDEEP
768:EeglKSgf0Kn2hJRDCExKjWHKfIag5Ikoppb4PVzhOnDA3IGlieyDAlG7yWy6yvAT:EegqsDTAj6yrgmy9SDRMGvyCoup
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2660 winkernel32.EXE -
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/files/0x002f00000001530e-9.dat upx behavioral1/memory/2660-13-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/3016-18-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-154-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-155-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-156-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-157-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-159-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-162-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-163-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-164-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral1/memory/2660-166-0x0000000000400000-0x0000000000441000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE" 7ddd7f9c572b5694c60fbc003614b04e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE" winkernel32.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\comdlg32.ocx winkernel32.EXE File opened for modification C:\Windows\SysWOW64\comdlg32.ocx winkernel32.EXE -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\inf\i07.JPG winkernel32.EXE File created C:\Windows\inf\i05.JPG winkernel32.EXE File created C:\Windows\inf\b01.JPG winkernel32.EXE File created C:\Windows\inf\anmanda.inf winkernel32.EXE File created C:\Windows\inf\anenvia.inf winkernel32.EXE File created C:\Windows\inf\i04.JPG winkernel32.EXE File created C:\Windows\inf\b02.JPG winkernel32.EXE File opened for modification C:\Windows\ansmtpbuild.dll winkernel32.EXE File opened for modification C:\Windows\inf\appstart32.inf 7ddd7f9c572b5694c60fbc003614b04e.exe File created C:\Windows\inf\azul01.JPG winkernel32.EXE File created C:\Windows\inf\r03.JPG winkernel32.EXE File created C:\Windows\ansmtp.dll winkernel32.EXE File created C:\Windows\ansmtpbuild.dll winkernel32.EXE File created C:\Windows\inf\azul02.JPG winkernel32.EXE File created C:\Windows\inf\i01.JPG winkernel32.EXE File created C:\Windows\inf\i02.JPG winkernel32.EXE File opened for modification C:\Windows\inf\append.inf 7ddd7f9c572b5694c60fbc003614b04e.exe File created C:\Windows\inf\r01.JPG winkernel32.EXE File created C:\Windows\inf\i03.JPG winkernel32.EXE File created C:\Windows\inf\i06.JPG winkernel32.EXE File created C:\Windows\inf\comdlg32.inf winkernel32.EXE File created C:\Windows\inf\gereba01.JPG winkernel32.EXE File created C:\Windows\inf\r04.JPG winkernel32.EXE File opened for modification C:\Windows\ansmtp.dll winkernel32.EXE File created C:\Windows\inf\anvaila.inf winkernel32.EXE File created C:\Windows\inf\gereba02.JPG winkernel32.EXE File created C:\Windows\inf\r02.JPG winkernel32.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 winkernel32.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3016 7ddd7f9c572b5694c60fbc003614b04e.exe 2660 winkernel32.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2660 3016 7ddd7f9c572b5694c60fbc003614b04e.exe 28 PID 3016 wrote to memory of 2660 3016 7ddd7f9c572b5694c60fbc003614b04e.exe 28 PID 3016 wrote to memory of 2660 3016 7ddd7f9c572b5694c60fbc003614b04e.exe 28 PID 3016 wrote to memory of 2660 3016 7ddd7f9c572b5694c60fbc003614b04e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\winkernel32.EXEC:\winkernel32.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\gereba01[1].htm
Filesize162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f
-
Filesize
94KB
MD50d62f4033e60c48877de4e31acbb2439
SHA1fe7261e7d4f4c7dc7bf3c26bf6b3cb8ea4ed0d06
SHA256be342be2cae9e26fe06dc42b374fb7b2010007665d48a9c26f4c3fb4061e2941
SHA5128e88acc74d9176b9e00416d555af3234e79d6d127678a00568fb5951295cb06c166afd82473bc9e4debeabffd9da95fdd1b7fe8fe34e026e3f3b3ff2e8875698
-
Filesize
28B
MD5cb7139601551c49db0f23ba7a1cc7ac2
SHA14610854239fcb110b344fad2ca678e870052ce7d
SHA256ad1d8114e04e7522738af1be83daf313ef8cd237d8ccc4d2f6478c8f8795feef
SHA51295e1f5b8d3d64d86998fb17f6f218268c90e2830bed0e005f0b622af4bf4eac9093dad5b1f627eda58c971cbe02aaa1ea948fdd9a36128526fb5c7f858830ad9
-
Filesize
62KB
MD57ddd7f9c572b5694c60fbc003614b04e
SHA138eb2f33be1749271665ca0bf89a162154bbe2af
SHA2560865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
SHA512cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a