Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

a14985182f...66.exe

windows7-x64

8

a14985182f...66.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a14985182fcd6d0aff13c375c15d5566.exe

  • Size

    268KB

  • MD5

    a14985182fcd6d0aff13c375c15d5566

  • SHA1

    b11f615163e71e623273cc456559c15009cce6cc

  • SHA256

    a9a0b49c1d3b073a04f6f7cb74c688c9ef5de9ef1dbfbd8e0f2da8b90031be45

  • SHA512

    70425cca4b7525f0ed930cee582f641b560bf0c6d8cb2bc8340f9be5f2b3834669a62409ba4dba34ca6fa1819845aa2da2c2115ab62975580d795018c8f4919a

  • SSDEEP

    3072:Bskvo5NHSuErdFqOgzletQj7ExJcSlrtpihGKAOdDI/eVpcLet0v9X3yiZgftJih:oyucGZeQ4kSl5piN5Jp6dreQWdb

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe
    "C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259410770.bat" "C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe""
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe"
        3⤵
        • Views/modifies file attributes
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259410770.bat
    Filesize

    97B

    MD5

    d226a657b279c5fc0a892748230a56ff

    SHA1

    fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

    SHA256

    9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

    SHA512

    07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

    Download Submit

  • \Windows\SysWOW64\mounetup.dll
    Filesize

    86KB

    MD5

    8c4e2f845b96e1de93f8907bdff9e4a1

    SHA1

    ddd6ceb172427fb5a203b859b83fc25180fc98bf

    SHA256

    55d9b4ebd3bfbf135151ca5f15c85eff7cbb489552aa97ce14a57617a25e09d2

    SHA512

    897ddeaec45e4d88fe770e6966702e269529bb3448b2aadbd98c58cab0437bc96bb7250dfef34df3e23a5d951e8e7b5206b38e9ef5e20a6b71f438cbab9e1ba4

    Download Submit

  • memory/2008-0-0x0000000001000000-0x0000000001043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2008-18-0x0000000001000000-0x0000000001043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2452-22-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-23-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2452-24-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download