Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 19:57
Behavioral task
behavioral1
Sample
7ddd7f9c572b5694c60fbc003614b04e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ddd7f9c572b5694c60fbc003614b04e.exe
Resource
win10v2004-20231215-en
General
-
Target
7ddd7f9c572b5694c60fbc003614b04e.exe
-
Size
62KB
-
MD5
7ddd7f9c572b5694c60fbc003614b04e
-
SHA1
38eb2f33be1749271665ca0bf89a162154bbe2af
-
SHA256
0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
-
SHA512
cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a
-
SSDEEP
768:EeglKSgf0Kn2hJRDCExKjWHKfIag5Ikoppb4PVzhOnDA3IGlieyDAlG7yWy6yvAT:EegqsDTAj6yrgmy9SDRMGvyCoup
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4280 winkernel32.EXE -
resource yara_rule behavioral2/memory/4364-0-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/files/0x000600000002320b-8.dat upx behavioral2/memory/4364-13-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-75-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-141-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-142-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-143-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-144-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-145-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-146-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/4280-147-0x0000000000400000-0x0000000000441000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE" 7ddd7f9c572b5694c60fbc003614b04e.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE" winkernel32.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\comdlg32.ocx winkernel32.EXE File opened for modification C:\Windows\SysWOW64\comdlg32.ocx winkernel32.EXE -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\inf\comdlg32.inf winkernel32.EXE File opened for modification C:\Windows\inf\append.inf 7ddd7f9c572b5694c60fbc003614b04e.exe File created C:\Windows\inf\anvaila.inf winkernel32.EXE File created C:\Windows\inf\gereba01.JPG winkernel32.EXE File created C:\Windows\inf\r01.JPG winkernel32.EXE File created C:\Windows\inf\r02.JPG winkernel32.EXE File opened for modification C:\Windows\ansmtpbuild.dll winkernel32.EXE File created C:\Windows\inf\anenvia.inf winkernel32.EXE File created C:\Windows\inf\r03.JPG winkernel32.EXE File created C:\Windows\inf\i04.JPG winkernel32.EXE File created C:\Windows\inf\b01.JPG winkernel32.EXE File created C:\Windows\inf\i01.JPG winkernel32.EXE File opened for modification C:\Windows\inf\appstart32.inf 7ddd7f9c572b5694c60fbc003614b04e.exe File created C:\Windows\inf\azul02.JPG winkernel32.EXE File created C:\Windows\inf\r04.JPG winkernel32.EXE File created C:\Windows\inf\i05.JPG winkernel32.EXE File created C:\Windows\inf\i06.JPG winkernel32.EXE File opened for modification C:\Windows\ansmtp.dll winkernel32.EXE File created C:\Windows\ansmtpbuild.dll winkernel32.EXE File created C:\Windows\inf\anmanda.inf winkernel32.EXE File created C:\Windows\inf\gereba02.JPG winkernel32.EXE File created C:\Windows\inf\azul01.JPG winkernel32.EXE File created C:\Windows\inf\i03.JPG winkernel32.EXE File created C:\Windows\inf\b02.JPG winkernel32.EXE File created C:\Windows\ansmtp.dll winkernel32.EXE File created C:\Windows\inf\i02.JPG winkernel32.EXE File created C:\Windows\inf\i07.JPG winkernel32.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4280 winkernel32.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4364 7ddd7f9c572b5694c60fbc003614b04e.exe 4280 winkernel32.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 4280 4364 7ddd7f9c572b5694c60fbc003614b04e.exe 84 PID 4364 wrote to memory of 4280 4364 7ddd7f9c572b5694c60fbc003614b04e.exe 84 PID 4364 wrote to memory of 4280 4364 7ddd7f9c572b5694c60fbc003614b04e.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\winkernel32.EXEC:\winkernel32.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f
-
Filesize
94KB
MD5740d65e38a2f2399adf61dd16740424c
SHA126a04a0fb338693d433d1ec8c37f7e3d7b46d7a3
SHA256a53629e3667bab8af5ed743c76653d1495c3ddc1bd2bd5311ac5ab4945ab3c9d
SHA512c1cd9f29b110af36d3e720134f779798e89d618630b2bab92df834dc8dab91330cebd45d3eec5d453354452d0e7bbe1c91b8a58759cd43d071dc1147ffff85db
-
Filesize
28B
MD57452db5e8f1ec3336bddad6538821e1b
SHA1f09f835b7a9a2d017860e37649bf4eeba678481c
SHA2563015ffef210daa73fcc635059b11e6911ff6b32e4ca759d57245d74704d7fb88
SHA5128e0d80ad239868ca83d4ca515ea4bc05e98853604015e01b673b56b9007d03b245066353ec103d34d1cf4e4fa647d76a0736b303581abddf6eb623682fa37d1d
-
Filesize
62KB
MD57ddd7f9c572b5694c60fbc003614b04e
SHA138eb2f33be1749271665ca0bf89a162154bbe2af
SHA2560865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
SHA512cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a