Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b8f7f1c3cb...a6.exe

windows7-x64

10

b8f7f1c3cb...a6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8f7f1c3cb54dd98956cfade0d5b02a6.exe

  • Size

    336KB

  • MD5

    b8f7f1c3cb54dd98956cfade0d5b02a6

  • SHA1

    802cedcb7f89c6df1dc1bd36ace24c66474cd0ab

  • SHA256

    26a771ec1b7159b3009984f59822620ba5bcd2a675e290a1334ff3a2536ae5ea

  • SHA512

    2f9f862f39bb8a1cf87f44a848bb2e8b12f56215643e3643b6e08278023c9195356dd030f2ddbb304149887958925e5b1fb8d0f2a8ff51dd2b0ee8f84d14b0ae

  • SSDEEP

    6144:ENr04w8GJEotOrtacrFhqxvtiIZTYix3BuYBIbgmOTd3w:ENr04rnrtacrnnOTYi3B+gmO53

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe
      "C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\2625e5f1\X
        193.105.154.210:80
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2584
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2920
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:2936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\2625e5f1\@
        Filesize

        2KB

        MD5

        b3d2b259ab16b0e26c02f2faa9453238

        SHA1

        3aa2631f79a01143caa52936ce5fe5b942387e78

        SHA256

        905614fb30f9b84b2a81fa770b87350c1b7bc21b23ff775154fbd973505b8675

        SHA512

        209161e67f4874e2253e4fcb7aaaef57526781a06ecf7966c33d0f6db2ec8fc97e3b5ce3b1027ad5ed9ac400ce35a8d5fbac2d17b9327f64c33fb63dabb8562d

        Download Submit

      • C:\Windows\system32\consrv.dll
        Filesize

        31KB

        MD5

        dafc4a53954b76c5db1d857e955f3805

        SHA1

        a18fa0d38c6656b4398953e77e87eec3b0209ef3

        SHA256

        c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

        SHA512

        745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

        Download Submit

      • \Users\Admin\AppData\Local\2625e5f1\X
        Filesize

        41KB

        MD5

        686b479b0ee164cf1744a8be359ebb7d

        SHA1

        8615e8f967276a85110b198d575982a958581a07

        SHA256

        fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

        SHA512

        7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

        Download Submit

      • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
        Filesize

        2KB

        MD5

        444293e3ecd966dccc65b9d89dbf1e6d

        SHA1

        d7bfb6ad8d44954b490997a971d79dfbd62c743a

        SHA256

        7a833f9c8582485bf923ad56f4419cc302dd6a3845594f23efb068cc2e157488

        SHA512

        1ae95d0dfcf6d79db7a4a81654538dfb99dbe9e88b75e2eaa2d9a662098abfaa95fe06557ba388d3bbecb9a5a0cdc15d035fdf9c2cb49b3233440e98552551c9

        Download Submit

      • memory/336-16-0x0000000000A20000-0x0000000000A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/336-19-0x0000000000A70000-0x0000000000A7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/336-18-0x0000000000A70000-0x0000000000A7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1208-47-0x0000000000A70000-0x0000000000A7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1208-43-0x0000000000A70000-0x0000000000A7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1208-32-0x00000000021E0000-0x00000000021EB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1208-42-0x00000000021F0000-0x00000000021FB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1208-40-0x00000000021E0000-0x00000000021EB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1208-36-0x00000000021E0000-0x00000000021EB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1208-48-0x00000000021F0000-0x00000000021FB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1936-15-0x00000000021A0000-0x00000000022A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1936-30-0x0000000000400000-0x000000000045C8E4-memory.dmp

        Filesize

        370KB

        Download

      • memory/1936-22-0x00000000003C0000-0x00000000003EF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1936-41-0x00000000021A0000-0x00000000022A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1936-21-0x0000000000860000-0x0000000000960000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1936-20-0x0000000000400000-0x000000000045C8E4-memory.dmp

        Filesize

        370KB

        Download

      • memory/1936-1-0x0000000000400000-0x000000000045C8E4-memory.dmp

        Filesize

        370KB

        Download

      • memory/1936-46-0x00000000003C0000-0x00000000003EF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1936-9-0x00000000003C0000-0x00000000003EF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1936-6-0x00000000003C0000-0x00000000003EF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1936-3-0x00000000003C0000-0x00000000003EF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1936-2-0x0000000000860000-0x0000000000960000-memory.dmp

        Filesize

        1024KB

        Download