Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a.exe

windows7-x64

7

a.exe

windows10-1703-x64

7

a.exe

windows10-2004-x64

7

a.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2024, 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.exe

  • Size

    2.3MB

  • MD5

    ee9a10cc6bd9f7796059ae02ba639f1e

  • SHA1

    23747dee593504e58b971aebe0c141ec6c731f06

  • SHA256

    9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144

  • SHA512

    0ae1239ea582fb113e7598005835c40327dab40f4e4c72c2b18c1344cba32adc769d18f719c4ce92a2be6c9875379ca1c3f493c44c7a799f8078aff7ccf0efdc

  • SSDEEP

    49152:DI10S/UlnJt37NunQ7Djx4Z1OeAps9EWwPgTRNMWhJve8IWye3bJAsjrXh1:DI10blJuGuZgeAp9WjNp5e1Wye3bO8Dz

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    "C:\Users\Admin\AppData\Local\Temp\a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:3040
      • C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe
        "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe
          "C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ping 0.0.0.0 & del "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe" >> NUL
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\SysWOW64\PING.EXE
            ping 0.0.0.0
            4⤵
            • Runs ping.exe
            PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\a.exe > nul
        2⤵
        • Deletes itself
        PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Accounts\goopdate.dll
      Filesize

      544KB

      MD5

      0b06c23090150af11511a2b8d2c80612

      SHA1

      a4561633c0e67210e63e10b5177eebb6213d6465

      SHA256

      84f7b9759a098ddbd0c6f624fc4f545efe128260a5fcfcd12d86b95ffe128a41

      SHA512

      3a5d5ade016ffcc2404d7763ca2eb604525f77508798fdefe8d75e84808ab914ea096202c8a85ad2381c6c05f015d441c43d6cd08bbed9f376e68155c73172a3

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Accounts\theme.dat
      Filesize

      719KB

      MD5

      b7f58a09e03c2c739c7979c160bb648f

      SHA1

      493e61c447304da869c40533106b6aefc05ea711

      SHA256

      7008cc217b3bd218b00a09fbb7b8dcf6f4c7960846259f95cc6355088ce9cb5e

      SHA512

      1becf82ec504a9020f63b09dc9bcbf1e801a020b8926a74700ce0b0116623c111d30d4ff3285cdef87d762660370dfa9d631cf73fd928a0dc482ff5ef32ab6fb

      Download Submit

    • C:\ProgramData\Microsoft\eHome\thumbcache.dat
      Filesize

      14KB

      MD5

      0e854fd4ffb3f976c48250c1678f04cb

      SHA1

      bbede27e1cc170f00810bbf1e24c91baff1bb346

      SHA256

      53174ee7e9d567f60f7d3dfaec223dc8d3c4c2b71d5b8fdc0ff7dfad82b3b5de

      SHA512

      a5ba7b924ea4caeee8ed5ea81beae0e15a3e36f6fd1bc0333349e18505faa0d3417e111b70b50cbc7bfdbf390b267796a2fa32429b1d9cd65ae95bf3d2e92ded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx
      Filesize

      11KB

      MD5

      4363693fba849bb28412a957f2ab9be1

      SHA1

      9439d4bc731e970603eec1936eb338a3f32a324a

      SHA256

      4dc5394a0963dce4eb12f186ff47432ab121eb024bbc3cf40d60b21bcc3a0af2

      SHA512

      27c31791bddb37891ea064b1e3654880904cefe5d370ae93f26aaf52273ac1de5e811c389b44bdf06fb1767061a76b3fefa259f971382d71742415f3a9f206c5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      8d9139b7a3b992c01171f65f9e51d2ee

      SHA1

      19c059bb1bf5744e236893d4dd1f09afe0d8d224

      SHA256

      3dcdb8942005d12c60fcab555b535dea8fbfba5f566f1f77878ce7387144c3db

      SHA512

      e5f959ba5100a3893d6a036709b582467524165bf24facf83ccb87bbd08e71b729d0e1ee939564965ff7c168d9e156d7eae8ac63cd61adfe49bb9e57b90babd3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \ProgramData\Microsoft\Windows\Accounts\intagext.exe
      Filesize

      193KB

      MD5

      39342d0d279b0eb767292c3e01150da6

      SHA1

      69e26aaf3bf889df7f3c6c3d1b43099080ec6b76

      SHA256

      d2b417cf6a903c7154fe07fad1f5eaca9b0b3c5a7a7e80cf1bf16449fc7d24d9

      SHA512

      70e5d6f52a56bfc82c973694cf84a35663d61f262858e8152bf9aaf381ae1e1135cc3111a30c9d0aae6cdbf457a38780a5f860fe8706e7794987bc1e2248c429

      Download Submit

    • \Users\Admin\AppData\Local\Temp\agentaez1y.exe
      Filesize

      2.2MB

      MD5

      1161070b198d3a360bb699a58197c102

      SHA1

      f2872fc4101fa4781c6f7206e50eae3d1c5e79e2

      SHA256

      30f58490b5ac155bd5fab3a72e2d112dbfa599670b3d6fcdf9150aee0f9c4810

      SHA512

      da99f707f0d462592135161dfd80978e229fa0ec672dffcfa8c7b63c2518111cfcee144861385528b92c3ec112010acf46096b31fddfdcfdfa878c7b91eaa6c2

      Download Submit

    • memory/1708-34-0x0000000000400000-0x0000000000630000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1708-13-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1708-95-0x0000000000400000-0x0000000000630000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2496-4-0x000000002FB01000-0x000000002FB02000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2496-15-0x0000000070EFD000-0x0000000070F08000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2496-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2496-96-0x0000000070EFD000-0x0000000070F08000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2496-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-69-0x0000000010000000-0x00000000100AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/3000-102-0x0000000001E90000-0x0000000001F3E000-memory.dmp

      Filesize

      696KB

      Download