Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 08:20
Static task
static1
Behavioral task
behavioral1
Sample
8665134c70aa1777e0c561e72b4730e6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8665134c70aa1777e0c561e72b4730e6.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
8665134c70aa1777e0c561e72b4730e6.exe
-
Size
46KB
-
MD5
8665134c70aa1777e0c561e72b4730e6
-
SHA1
a2ed04425c013fb6d785d008f0ad4d23c6048b15
-
SHA256
e444561b6d35857597dcaca55615c078c76579002039825eb83ab7799a48903b
-
SHA512
f9a1b44f7bf00ef2da071b84d944fc25ceb1066b40bf0373cbe740dddbb0c954338cd9b70aa8dd50678f6f3ddc1c878be53aaee351c27c817a37f3eb83250144
-
SSDEEP
768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0OCDE7kCEerjgPt9f5n:Hu4EQalMK/ewGnh0mJ6grjg/fN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 1700 8665134c70aa1777e0c561e72b4730e6.exe 2744 Au_.exe 2744 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x002b0000000186c1-2.dat nsis_installer_1 behavioral1/files/0x002b0000000186c1-2.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2744 1700 8665134c70aa1777e0c561e72b4730e6.exe 28 PID 1700 wrote to memory of 2744 1700 8665134c70aa1777e0c561e72b4730e6.exe 28 PID 1700 wrote to memory of 2744 1700 8665134c70aa1777e0c561e72b4730e6.exe 28 PID 1700 wrote to memory of 2744 1700 8665134c70aa1777e0c561e72b4730e6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8665134c70aa1777e0c561e72b4730e6.exe"C:\Users\Admin\AppData\Local\Temp\8665134c70aa1777e0c561e72b4730e6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457B
MD5d8c921f0d26afe35a09b75c703f80680
SHA1992bc7bf5438a26f3df868b82e7d75df25401004
SHA2568486bf5bf1d30d0287be6dfb0192a6b7a7841559d5aeb594807f675979261d91
SHA512085916fa59897395767bc44b6215e851ffcb0653fe394cd413953298cae8e8b64e8dbfa7ffb4f780281c923e2827c22a4d15be44a9b7b377aab431754e5e601b
-
Filesize
14KB
MD506bef96b91bfa75b7f7817341a6cd597
SHA148a40368fc339ccea1dfda06d2e02bca7d7265c1
SHA2562ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364
SHA5125364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d
-
Filesize
10KB
MD57e3c808299aa2c405dffa864471ddb7f
SHA1b5de7804dd35ed7afd0c3b59d866f1a0749495e0
SHA25691c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd
SHA512599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738
-
Filesize
46KB
MD58665134c70aa1777e0c561e72b4730e6
SHA1a2ed04425c013fb6d785d008f0ad4d23c6048b15
SHA256e444561b6d35857597dcaca55615c078c76579002039825eb83ab7799a48903b
SHA512f9a1b44f7bf00ef2da071b84d944fc25ceb1066b40bf0373cbe740dddbb0c954338cd9b70aa8dd50678f6f3ddc1c878be53aaee351c27c817a37f3eb83250144