Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
99f7ada73a4c4f1dac4fa96156dd344d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
99f7ada73a4c4f1dac4fa96156dd344d.exe
Resource
win10v2004-20231215-en
General
-
Target
99f7ada73a4c4f1dac4fa96156dd344d.exe
-
Size
326KB
-
MD5
99f7ada73a4c4f1dac4fa96156dd344d
-
SHA1
63389f9a650fbf7f1c9119c2a3f5485bb62c34f2
-
SHA256
20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544
-
SHA512
2f23fd67c0018f57f8ceeb09008b7f8de7d67673eedde253ce23f8fa7c944ff57ad47d70c2a3325e9e6437e54d798cb2d6bb8bb34354f30db3876dfff59355b2
-
SSDEEP
6144:6r4I9uEo2S1YnQmCX492DkwNP3qpYFuT9U1FZA5MRwxuhhfch6clge:6r4gu6/eIo4nULZKMRwxuPfk6m
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 99f7ada73a4c4f1dac4fa96156dd344d.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1120 wrote to memory of 100 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 86 PID 1120 wrote to memory of 100 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 86 PID 1120 wrote to memory of 100 1120 99f7ada73a4c4f1dac4fa96156dd344d.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat"2⤵PID:100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024B
MD53612b1539591a78d48358bb6142e8637
SHA166accce223b0781410aeb6bc88054c7b3335e68c
SHA256b9f2b788edfcfdbd2f48325b6f8780615f452d1420dad418ca1c40053cbfd490
SHA512b1b0f6998c227d21e2449dec50ecabc923ba7b140e0866a12fcb77e1703daa481061a423e6b3f2a66ca40ff3556c338d54c81cd24350d0efaf5cdbcdac11a6a0
-
Filesize
269KB
MD5af7ce801c8471c5cd19b366333c153c4
SHA14267749d020a362edbd25434ad65f98b073581f1
SHA256cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA51288655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c
-
Filesize
50B
MD5089d98835d1f30f1fd430bd2fb04b2ec
SHA106e5f4776d00f6c887120e76fea2533c38405ed1
SHA256724efb7371dd9f8e1d89497fc4c1dadac66235632c5391438a85c4b8894f02dd
SHA512bc7ad3eaf4febb923fa0ce331cb3b1db7c13028e1422066e44f2a0b798d6727e4b6b9110c45d18d471975e009fafc1f70f178f4cec33f90b989094ff3846e9a2
-
Filesize
91KB
MD5396573acf88c363e3406677f3353d886
SHA195d078a2ff0eb1a884b932e08805cf178796b19b
SHA256e269f87987fb85313f0d1b276656020470b04e5e545784f5b3e03f9ca611b482
SHA512a5a0c72287044ebeba9ec45f46716592b945479a219b71a78e070f842a6d1c9c0c79d253946bf793b19b9dbbc2b05459ff7fdb0efaadc474c0b5190d828cc6b6
-
Filesize
2KB
MD57992e88b2763c99c24416d6ebce88122
SHA10574110d8032aa337c4cbb0837ecca40e187d883
SHA2568e72c04f8b95fe2af21a350739461527136b17730059722ed85a2b73b7df1538
SHA51268aa293d6ee68ce5605490304a37cfda8abf5b4e8362946d492abb879773d79824519cf73368a01c13fea4eecf46f3e4e5afe0fea44bd56288b6379dcf6a25c2
-
Filesize
15KB
MD5e717f6ce3a7429bfa6d7f3cf66737a4b
SHA101f4042589b4ed88c351ffeac256be7a9d884818
SHA2567be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633
SHA51265a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80
-
Filesize
14KB
MD5fd7ffd6a90536af8391733e3695e3740
SHA16774868b160ec653a594a8c29ebc5c432a6615bb
SHA256dddc311ded9236e2c582d9df11639b8119c2d9265799f225d9efb047c9f3118a
SHA5123279d7277d587df6c20ddccb487a24fb2cd41f88b701a93b1166bb8f3653b752509fd675858ccf12d7c47fea6b82c2e201e96bc54500b76fd9a6169681527638
-
Filesize
179KB
MD57f1a24ce168088160daed38269c01b78
SHA1675c432b4a7b15f9a34fff8dd5f6c3984de5cb80
SHA2566a97e35fbd5b3a8eab2ee6ddf440d381301476c16f9d7b4c22fcb1db77122762
SHA5129d0e5ce57e446e04807b1fae4754874f967ece17b7692b06b2ce3e5f0388d896b39244cd4199f7f8e401a28a43b968194a14a9a252432b9542cfccb5d4f971e2