Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8634a3db54...79.exe

windows7-x64

7

8634a3db54...79.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe

  • Size

    814KB

  • MD5

    daeeb64bc3b2ca69d5062b932d9f5486

  • SHA1

    d958e304dbd45b11f414034799e005510ff2d94d

  • SHA256

    8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679

  • SHA512

    6db8fc36dfd4b0ce9c4e15f27c25760cd361f78bffbc8e39796f846f324b58fb90800fe9ca6c1f2e35f415ae7ba880730aeaa4a90621bb1634b7c12e04742d0a

  • SSDEEP

    12288:6JTQdb6aT/+OkC2WOPASrfuhheB0IyXUJW+QiAukU30+9Ir/CSQC:mTQdb6aTfkC2WOIOI4qIwUk+T/G/CA

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe
    "C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe
      "C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 68
        3⤵
        • Program crash
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\hotdoggen.ini
    Filesize

    50B

    MD5

    70345464ba62a9453db2f24c1bc10881

    SHA1

    62fe4814d1b6082b46c196734b9eaf33b9b691bb

    SHA256

    cc7e912d757a17a09ced10401c69d122b7972d4f9f6e26705e18a8cfe3ebef40

    SHA512

    b0ed1640898ebf66797489862be3acdff589b161106c688e0536cabd91f673a75126a70b9363b078d8c88144d547ded4e8980e457c8e75e1477aadbb5414ae3a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso6AD5.tmp\System.dll
    Filesize

    11KB

    MD5

    2ae993a2ffec0c137eb51c8832691bcb

    SHA1

    98e0b37b7c14890f8a599f35678af5e9435906e1

    SHA256

    681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

    SHA512

    2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso6AD5.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b648c78981c02c434d6a04d4422a6198

    SHA1

    74d99eed1eae76c7f43454c01cdb7030e5772fc2

    SHA256

    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

    SHA512

    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

    Download Submit

  • memory/552-332-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-308-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-338-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-304-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-305-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-306-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/552-307-0x0000000077266000-0x0000000077267000-memory.dmp

    Filesize

    4KB

    Download

  • memory/552-337-0x0000000077230000-0x0000000077306000-memory.dmp

    Filesize

    856KB

    Download

  • memory/552-331-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-336-0x0000000034F80000-0x0000000035283000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/552-333-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-334-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/552-335-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2720-301-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2720-302-0x0000000077230000-0x0000000077306000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2720-303-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download