Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
b24fa78084497f1d9208787d96f9b6ea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24fa78084497f1d9208787d96f9b6ea.exe
Resource
win10v2004-20240226-en
General
-
Target
b24fa78084497f1d9208787d96f9b6ea.exe
-
Size
13KB
-
MD5
b24fa78084497f1d9208787d96f9b6ea
-
SHA1
7aae7bea4fd0b2bf120487aa84093e4d74fd2dd5
-
SHA256
9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c
-
SHA512
8f6b1f35f10e0a54a6d8aaaeab4c5a59b0fa3ec802a756e9385e16cd1197ac05443f6dad34a55ad50ed630fc65542f592b0786287145e4e458ec2104f3e349c7
-
SSDEEP
384:HPIXVcXVihJ9OawDh21kk9Qsr9GlllaOYuI76D8:gXVAVQrOaj1kk9J9GjlaO7I/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vmutgpyw.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" b24fa78084497f1d9208787d96f9b6ea.exe -
Deletes itself 1 IoCs
pid Process 2840 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 3008 b24fa78084497f1d9208787d96f9b6ea.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vmutgpyw.nls b24fa78084497f1d9208787d96f9b6ea.exe File created C:\Windows\SysWOW64\vmutgpyw.tmp b24fa78084497f1d9208787d96f9b6ea.exe File opened for modification C:\Windows\SysWOW64\vmutgpyw.tmp b24fa78084497f1d9208787d96f9b6ea.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} b24fa78084497f1d9208787d96f9b6ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 b24fa78084497f1d9208787d96f9b6ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\vmutgpyw.dll" b24fa78084497f1d9208787d96f9b6ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3008 b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3008 b24fa78084497f1d9208787d96f9b6ea.exe 3008 b24fa78084497f1d9208787d96f9b6ea.exe 3008 b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2840 3008 b24fa78084497f1d9208787d96f9b6ea.exe 28 PID 3008 wrote to memory of 2840 3008 b24fa78084497f1d9208787d96f9b6ea.exe 28 PID 3008 wrote to memory of 2840 3008 b24fa78084497f1d9208787d96f9b6ea.exe 28 PID 3008 wrote to memory of 2840 3008 b24fa78084497f1d9208787d96f9b6ea.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat2⤵
- Deletes itself
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD5bc2c7a46b8faafa782a38495979dffc2
SHA1a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4
SHA25607c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a
SHA512025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065
-
Filesize
428B
MD576a3016d1defcd1798f893e3859616dd
SHA15a8f2f3c94f8aec0dd573e54083a6c6d3b09d047
SHA256f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74
SHA512812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977
-
Filesize
2.3MB
MD5b5b9b49c77d4582f4d6329634a214406
SHA174393ae410e0eec2de220e3b2a2522844549466f
SHA2569935a45f977fdfdd9f0fe641420ff550d302ee62981b430bcb248038f826e3a3
SHA512b47b5a8d19011d0538304b184e76feb9e6d0a4ddf6aacf38e626b73dd283ad054602a86121dd29e1828918b802ab0b05383d5b469a8b85d7635bf4b83c7a1bb2