Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

637cbb8198...87.exe

windows7-x64

8

637cbb8198...87.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe

  • Size

    779KB

  • MD5

    29ed8ed38aa3310224ef25972588a369

  • SHA1

    d7ff6bc8075abd5f500d10994061c737ede21740

  • SHA256

    637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787

  • SHA512

    e42a55fa01a6b8340c087f7ac15d117933baa91467777f25a7868629d48db2fc6703e3d976e1da4a160d9c20383a8d5ce75f52e8e2425c9f4126aab39e11ca9b

  • SSDEEP

    12288:xPJTcmjRN6KSYqk5lvgKTgt9awhBcxetQmBVRTqeRKwpNtW4fo:lJ4m9iyv28whSwNBVRTwwpK

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe
    "C:\Users\Admin\AppData\Local\Temp\637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe
      C:\Users\Admin\AppData\Local\Temp\637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:3004
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:2836
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabDA89.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarDB08.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • \Users\Admin\AppData\Local\Temp\637cbb8198159c5c2e533342e104ebfc733e5f931575d1147e425251c63f6787.exe
      Filesize

      779KB

      MD5

      ede5675d1a348880a9befe1b76d4f735

      SHA1

      9612f867b00922aa19971695a33814647176c4e2

      SHA256

      93eb21cc59f347c0b7792dcf922b45d892f4543d1b812c46ba37460ca7f1c510

      SHA512

      84fcc50626fbb33839ace8e16904dfd9a53c810e99ce67f55715aa9d387a87eb6ddc46bfd2e2531a777a527b509856f67031ada0308a51b906c905d9f683f1a3

      Download Submit

    • memory/1500-0-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1500-6-0x00000000001D0000-0x000000000024C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1500-9-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/2840-63-0x0000000003F80000-0x0000000003F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-64-0x0000000003F80000-0x0000000003F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-11-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/3004-13-0x0000000002CC0000-0x0000000002D3C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/3004-12-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3004-20-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3004-61-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download