Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a1234afaf3...52.exe

windows7-x64

7

a1234afaf3...52.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1234afaf3fec88126e282ddb4ccb052.exe

  • Size

    687KB

  • MD5

    a1234afaf3fec88126e282ddb4ccb052

  • SHA1

    8c00e0df60feec0254a54cd0edb4327cdac2cdb8

  • SHA256

    dccca60d7f67e773dce519de7e535f95880d08c6692966693592467fdfedc72b

  • SHA512

    c0ecb2ff756225c446f34abb45503ecd52547dc63da42db5229f759fb30001fa42b1c7a877740fe23095fa0b6e367f6cbc38f34d53d9de20b328d4e70b3479e3

  • SSDEEP

    12288:rKqI/NVA4LuX1rTcMYWnXUOC+0b4ZCOh+F3Z4mxxODRw2RaeoWgxRBuMr:rZI/NulfXYeU/Tc0Oh+QmX8RwaaeqTxr

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1234afaf3fec88126e282ddb4ccb052.exe
    "C:\Users\Admin\AppData\Local\Temp\a1234afaf3fec88126e282ddb4ccb052.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2456
    • C:\Windows\server.exe
      C:\Windows\server.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:2644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\uninstal.bat
        Filesize

        150B

        MD5

        5edd682a8b1f2bf873300774f954ab03

        SHA1

        2cca4e743d02dbccf31b784ea26a60c03dcc9637

        SHA256

        a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

        SHA512

        916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
        Filesize

        775KB

        MD5

        dae06df43424b36cb828a7f6e7ff5f6a

        SHA1

        c29eb9c664b0370a98869b6380f8777ac0018c05

        SHA256

        4a08e89e44a7c7f333f5716120a3cb0fa8f14ae3559adc8f1bd7eadcc0ac5d63

        SHA512

        9648ca7578133a5ee62666426a1c53b5a20ac59f9f204d826b6bce2df46a4340086ac259ab6b9d096c633f32af840ced3dfb3bb6029984095ff9762a302cc300

        Download Submit

      • memory/2556-48-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

        Download

      • memory/2556-34-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-7-0x0000000000360000-0x0000000000361000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-6-0x0000000000370000-0x0000000000371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-19-0x0000000000A40000-0x0000000000A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-18-0x0000000000D70000-0x0000000000D71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-17-0x0000000000860000-0x0000000000861000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-16-0x00000000009F0000-0x00000000009F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-15-0x00000000008A0000-0x00000000008A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-14-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-13-0x0000000000840000-0x0000000000841000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-12-0x0000000000850000-0x0000000000851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-11-0x00000000008C0000-0x00000000008C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-10-0x0000000000870000-0x0000000000871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-9-0x0000000000890000-0x0000000000891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-8-0x0000000000820000-0x0000000000821000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-0-0x0000000001000000-0x0000000001113000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2932-20-0x0000000000A20000-0x0000000000A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-5-0x0000000000300000-0x0000000000301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-4-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-3-0x0000000000380000-0x0000000000381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-2-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-24-0x0000000000350000-0x0000000000351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-21-0x0000000000A10000-0x0000000000A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-23-0x0000000000D80000-0x0000000000D81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-50-0x00000000006C0000-0x0000000000714000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2932-22-0x0000000000D90000-0x0000000000D91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2932-1-0x00000000006C0000-0x0000000000714000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2932-49-0x0000000001000000-0x0000000001113000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2988-40-0x00000000003F0000-0x00000000003F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2988-52-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

        Download

      • memory/2988-53-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

        Download

      • memory/2988-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2988-58-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

        Download