Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Plite.exe
Resource
win7-20240221-en
General
-
Target
Backdoor.Win32.Plite.exe
-
Size
61KB
-
MD5
ac18dbe74249bdd64ff7ddb125320064
-
SHA1
4f5d6ef53aa3a2e8231f117225aea666b0320783
-
SHA256
62f71e49ed5f1a322324c58e9aa1e97e206ddba975aa55e08c6d26f1fa787b0f
-
SHA512
93328d2a668fbe14e1ddcf00cfaef5dda61a88e0fabfac5e66c1129fe2e56f1b06dc4eaa0de904ef4a6fdd2d7007b3a07844ad70b1e035347c3fc21112c5257a
-
SSDEEP
1536:1jeTAG/cbPGIZ+yy9YKU/p5mhnD4Nje4ur13t:1jYAaM7ZSY9esEVf
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.207
Signatures
-
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 huter.exe -
Loads dropped DLL 1 IoCs
pid Process 3068 Backdoor.Win32.Plite.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2752 3068 Backdoor.Win32.Plite.exe 3 PID 3068 wrote to memory of 2752 3068 Backdoor.Win32.Plite.exe 3 PID 3068 wrote to memory of 2752 3068 Backdoor.Win32.Plite.exe 3 PID 3068 wrote to memory of 2752 3068 Backdoor.Win32.Plite.exe 3 PID 3068 wrote to memory of 2616 3068 Backdoor.Win32.Plite.exe 2 PID 3068 wrote to memory of 2616 3068 Backdoor.Win32.Plite.exe 2 PID 3068 wrote to memory of 2616 3068 Backdoor.Win32.Plite.exe 2 PID 3068 wrote to memory of 2616 3068 Backdoor.Win32.Plite.exe 2
Processes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "1⤵
- Deletes itself
PID:2616
-
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"1⤵
- Executes dropped EXE
PID:2752
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5f45c82adf9ef8413d78bd3230b411302
SHA1334971369d92e5aeb3d541b0d9fb1dfa1c8c8d44
SHA2563ba2f989c72cfb256155b9f51fc6c3de41f5e1b8bb58b89076f9d8f927c95ca0
SHA512602a7e0e01b8367b81ab70167c92d09db8df4466f8483580ca6b48926332ccbfb1379f7f308c534f3d1ff127fb2b4ec69f3927a7313c7952f230dfa57cbbc093
-
Filesize
61KB
MD5991be6f3c9067091982f93aca3ca2e88
SHA1e939bbf0694eb7797bbe1f542a9203416c7b436c
SHA2560c9dc69de14f7e3ee466b2b18bf194928369208e86ba0b36f2fe415945d38ad6
SHA51297a8035edb7ba6c4109607000503cd4d4c1752755ddc551590e435c5573761a2e3976567cd3baf2ed3ebb20d48a994244f38a6121ae2b1e160d02e720b16e815
-
Filesize
250B
MD5b6ac74a17ea9df40fa00e66362d0128c
SHA1ebfabc9e75e4493a0c88b1b7b1e6d195eaebe592
SHA2564445fd331d80b02affa2a95ecad6e275aa5c7c1e08ea8494a979f93d4fba0b78
SHA512b997c51b7ce523625b6b454f96a88c4df08d5b5526a33ec8a0244d6a8be7d68dd01a6c72ae618a758a49dbd131ca2c5337fae576bee617450acafeab3844c4e1