Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2024, 14:03

General

  • Target

    b24fa78084497f1d9208787d96f9b6ea.exe

  • Size

    13KB

  • MD5

    b24fa78084497f1d9208787d96f9b6ea

  • SHA1

    7aae7bea4fd0b2bf120487aa84093e4d74fd2dd5

  • SHA256

    9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c

  • SHA512

    8f6b1f35f10e0a54a6d8aaaeab4c5a59b0fa3ec802a756e9385e16cd1197ac05443f6dad34a55ad50ed630fc65542f592b0786287145e4e458ec2104f3e349c7

  • SSDEEP

    384:HPIXVcXVihJ9OawDh21kk9Qsr9GlllaOYuI76D8:gXVAVQrOaj1kk9J9GjlaO7I/

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe
    "C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat
      2⤵
      • Deletes itself
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat

    Filesize

    179B

    MD5

    bc2c7a46b8faafa782a38495979dffc2

    SHA1

    a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4

    SHA256

    07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a

    SHA512

    025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065

  • C:\Windows\SysWOW64\vmutgpyw.nls

    Filesize

    428B

    MD5

    76a3016d1defcd1798f893e3859616dd

    SHA1

    5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047

    SHA256

    f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74

    SHA512

    812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977

  • C:\Windows\SysWOW64\vmutgpyw.tmp

    Filesize

    2.3MB

    MD5

    b5b9b49c77d4582f4d6329634a214406

    SHA1

    74393ae410e0eec2de220e3b2a2522844549466f

    SHA256

    9935a45f977fdfdd9f0fe641420ff550d302ee62981b430bcb248038f826e3a3

    SHA512

    b47b5a8d19011d0538304b184e76feb9e6d0a4ddf6aacf38e626b73dd283ad054602a86121dd29e1828918b802ab0b05383d5b469a8b85d7635bf4b83c7a1bb2

  • memory/3008-16-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/3008-25-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB