Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
99f7ada73a4c4f1dac4fa96156dd344d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
99f7ada73a4c4f1dac4fa96156dd344d.exe
Resource
win10v2004-20231215-en
General
-
Target
99f7ada73a4c4f1dac4fa96156dd344d.exe
-
Size
326KB
-
MD5
99f7ada73a4c4f1dac4fa96156dd344d
-
SHA1
63389f9a650fbf7f1c9119c2a3f5485bb62c34f2
-
SHA256
20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544
-
SHA512
2f23fd67c0018f57f8ceeb09008b7f8de7d67673eedde253ce23f8fa7c944ff57ad47d70c2a3325e9e6437e54d798cb2d6bb8bb34354f30db3876dfff59355b2
-
SSDEEP
6144:6r4I9uEo2S1YnQmCX492DkwNP3qpYFuT9U1FZA5MRwxuhhfch6clge:6r4gu6/eIo4nULZKMRwxuPfk6m
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 99f7ada73a4c4f1dac4fa96156dd344d.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 636 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 30 PID 2040 wrote to memory of 636 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 30 PID 2040 wrote to memory of 636 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 30 PID 2040 wrote to memory of 636 2040 99f7ada73a4c4f1dac4fa96156dd344d.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat"2⤵PID:636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1023B
MD5aca9706e2a6a8d91f125ee45a3bc14d3
SHA10fa05b18943ab34d2b0063ac35c848be38207b3f
SHA2564bb5adf0b5599283e522026c9f029bc8ced6f7fc346f91128aee260d880a0d5c
SHA512cd391a16cdfa42bb6fac905a44b2ae09b2d19b295ae46799428a235358753821f52d04e19749e5a79b60b485cc35d33538bdd0724cdaca3f012e8a34c8f902b9
-
Filesize
50B
MD5e2a3c1cacd0b7c252f8ef01df7e9a608
SHA1806afceab72757c6ddfde1a17ddd9e731885efe4
SHA256193898461444e2e1dcb05b39cd78972af3bd2a3c21fba7d328ff9a8ef113d5b6
SHA512bcb139a17594afdd50d44134afe191bcff76ffc9c950f9af1afb146cdb5665d0efbceba1bc35b94db9e4df95bbfe88cc1a887c5b93526222d20c2e23fb9225a7
-
Filesize
2KB
MD57992e88b2763c99c24416d6ebce88122
SHA10574110d8032aa337c4cbb0837ecca40e187d883
SHA2568e72c04f8b95fe2af21a350739461527136b17730059722ed85a2b73b7df1538
SHA51268aa293d6ee68ce5605490304a37cfda8abf5b4e8362946d492abb879773d79824519cf73368a01c13fea4eecf46f3e4e5afe0fea44bd56288b6379dcf6a25c2
-
Filesize
15KB
MD5e717f6ce3a7429bfa6d7f3cf66737a4b
SHA101f4042589b4ed88c351ffeac256be7a9d884818
SHA2567be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633
SHA51265a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80
-
Filesize
14KB
MD5fd7ffd6a90536af8391733e3695e3740
SHA16774868b160ec653a594a8c29ebc5c432a6615bb
SHA256dddc311ded9236e2c582d9df11639b8119c2d9265799f225d9efb047c9f3118a
SHA5123279d7277d587df6c20ddccb487a24fb2cd41f88b701a93b1166bb8f3653b752509fd675858ccf12d7c47fea6b82c2e201e96bc54500b76fd9a6169681527638
-
Filesize
269KB
MD5af7ce801c8471c5cd19b366333c153c4
SHA14267749d020a362edbd25434ad65f98b073581f1
SHA256cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA51288655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c
-
Filesize
91KB
MD5396573acf88c363e3406677f3353d886
SHA195d078a2ff0eb1a884b932e08805cf178796b19b
SHA256e269f87987fb85313f0d1b276656020470b04e5e545784f5b3e03f9ca611b482
SHA512a5a0c72287044ebeba9ec45f46716592b945479a219b71a78e070f842a6d1c9c0c79d253946bf793b19b9dbbc2b05459ff7fdb0efaadc474c0b5190d828cc6b6
-
Filesize
179KB
MD57f1a24ce168088160daed38269c01b78
SHA1675c432b4a7b15f9a34fff8dd5f6c3984de5cb80
SHA2566a97e35fbd5b3a8eab2ee6ddf440d381301476c16f9d7b4c22fcb1db77122762
SHA5129d0e5ce57e446e04807b1fae4754874f967ece17b7692b06b2ce3e5f0388d896b39244cd4199f7f8e401a28a43b968194a14a9a252432b9542cfccb5d4f971e2