Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

996887ad77...94.exe

windows7-x64

10

996887ad77...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996887ad773945a7884931c5f1ff5c94.exe

  • Size

    61KB

  • MD5

    996887ad773945a7884931c5f1ff5c94

  • SHA1

    bbe87a1764221a20f8f35b4291ddb5cce7a8f468

  • SHA256

    ff1caada5738fcb6cd6e4e83841e2bdfe49cbf767d7d4d6f1fd437e56b702a89

  • SHA512

    7ec3b233032423ce0d09dbb23b31af24f82469b07e0ff11b728bcbc3e22bf95e829a14565fe8b8199d461ed431f3b2d19146ff8cf934c92fb2eb650266a0dfaa

  • SSDEEP

    1536:B4lqiNHnPSMQQ+Z45SNTxdBlsZr48ECzJP0xBt7haC:GaMQ/7NdrlxaFPkt9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Runs .reg file with regedit 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\996887ad773945a7884931c5f1ff5c94.exe
    "C:\Users\Admin\AppData\Local\Temp\996887ad773945a7884931c5f1ff5c94.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\aaa.reg
      2⤵
      • Modifies WinLogon for persistence
      • Runs .reg file with regedit
      PID:2496
    • C:\Users\Admin\AppData\Local\Temp\msdtr.exe
      C:\Users\Admin\AppData\Local\Temp\msdtr.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy \*.*
        3⤵
          PID:2692
        • C:\Windows\SysWOW64\regedit.exe
          regedit.exe /s /e Lù\back1.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
          3⤵
          • Runs .reg file with regedit
          PID:2700
        • C:\Windows\SysWOW64\regedit.exe
          regedit.exe /s /e Lù\back2.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
          3⤵
          • Runs .reg file with regedit
          PID:2784
        • C:\ProgramData\Application Data\Microsoft\Comon\ctfmon.exe
          "C:\ProgramData\Application Data\Microsoft\Comon\ctfmon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            4⤵
              PID:2728
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\ProgramData\Documents\microtm.bat
            3⤵
              PID:2164

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Documents\microtm.bat
          Filesize

          62B

          MD5

          52494916da068530cd4545e8a376b776

          SHA1

          382641c9522d8a12df6449f5f31b53c3e732f0c5

          SHA256

          8dfdb5794c1ec9b8a108ea0ec682b409527b6c2e79960acae91000b8df239c03

          SHA512

          35e099987dc8001bb7f7c38c105b85533b4bd603f4c1a91f5c6d08c271df0e2bfe3f8811582e36e79847dc3c6f51fe38df531ad063e7de5c328e84a8af985089

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aaa.reg
          Filesize

          413B

          MD5

          e62423d7be4ca6661ca629d6b7a9a104

          SHA1

          ae0e34911292701ff9c94869364a36b98ef76fed

          SHA256

          11fa728742f4d51b25bc1e16fc77db63226fc702c10b5e3c6f098f562fdae64c

          SHA512

          9de8f6b68f28637ef4844df8914b926a3d7e90e3013b4aa4e871eda3e5d8d9525747541061f9e46528c1201a10bab520c763ad2dc5e841001eb5b24f077f79c7

          Download Submit

        • \ProgramData\Microsoft\Comon\ctfmon.exe
          Filesize

          35KB

          MD5

          0e5e9d9e01f8e7eb7c2a04a88e4899e3

          SHA1

          16da045e831a404f25e239602387c72dab3e38b1

          SHA256

          fd7811e18521f4761030e08b5c3ab46b71163637d193dedc1fe91639b3e98f5e

          SHA512

          d1b8b9b5a5e246cdd40ee6fb3c53bb7d36415ea484101548ed3c2468a51b29c3ad7bf1cc7741799e9d80b04a0c821a21759094b90407fcdc7c9faa8449060d4e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\msdtr.exe
          Filesize

          41KB

          MD5

          4c3dce52edaec8f5e3a7a8775623d669

          SHA1

          e54587845bb153cade4c025d6519ace63d1ac92f

          SHA256

          b4a33369d9f2b2a43196229106bd21bb4cada7aebf662fa369d65101856df9a9

          SHA512

          70b1f49d8cc39272ef96a11c19d2a2a710bf976402c7091a47b396c476c05b113aadf8be45300477774a7ec8cc2d2e56ba953ea0a181dc934e2b766634dfcc9f

          Download Submit

        • memory/2700-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2728-25-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2728-23-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2728-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2784-11-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2924-26-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download