Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 17:53

General

  • Target

    c13a7c20e658b8c5f8e2958eaa94331e.exe

  • Size

    2.0MB

  • MD5

    c13a7c20e658b8c5f8e2958eaa94331e

  • SHA1

    9ab3f9aba8a596fbc8fcfd43ef6f59a27476c57b

  • SHA256

    8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f

  • SHA512

    afc58c261fdee76fc47a91e7b93c345be60e0d3b224098568044808c5d8cc21e52fd6e931861ca27705a091b0fc5430988d3624447c72cc6540c30e9e4faee99

  • SSDEEP

    49152:OFUcx88PWPOpX0SFEPCX/6bsqLZINvfhY+0l6YxTLyGc:O+K88uPCHuayQqu3hY+0l1LyGc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe
    "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\Temp\1620.tmp
      "C:\Users\Admin\AppData\Local\Temp\1620.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe 4F0951C49151D5AF87F1B0848364C29908503554A2942B5F6EC482F6A58A8EB18503B51AE41E04F8346CA2EA899A2A1B7C15EDB34455F25B3ACE210E0FA01789
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx

    Filesize

    19KB

    MD5

    4046ff080673cffac6529512b8d3bdbb

    SHA1

    d3cbc39065b7a55e995fa25397da2140bdac80c1

    SHA256

    f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

    SHA512

    453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

  • \Users\Admin\AppData\Local\Temp\1620.tmp

    Filesize

    2.0MB

    MD5

    ab2d2f86f77a9666415889702cb7aaed

    SHA1

    07725b1c322762b7bf01f97e82faea43c70cb5d3

    SHA256

    219c47b848d5b87356995147a25e6cc6b4313f0293e3bc56e1a545a7e5acf466

    SHA512

    623100ad1831e1b35f8aaeea9ae076c4a6ff8542114239b0d228250bdda8acca59b1e37249f4e8e9a5249d25e30c39e7eb24852d5977e846bf3dbc39ad22afbf

  • memory/1936-6-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/2260-0-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

  • memory/2992-9-0x000000002FA81000-0x000000002FA82000-memory.dmp

    Filesize

    4KB

  • memory/2992-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2992-11-0x00000000711DD000-0x00000000711E8000-memory.dmp

    Filesize

    44KB

  • memory/2992-15-0x00000000711DD000-0x00000000711E8000-memory.dmp

    Filesize

    44KB