Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 07:11

General

  • Target

    c549ae8ce044c1fe52ed0ac8e05abb44.exe

  • Size

    3.9MB

  • MD5

    c549ae8ce044c1fe52ed0ac8e05abb44

  • SHA1

    e1c6e01cb73fbc4977c9b1f0938991f1ba188408

  • SHA256

    7e0997dacb78b2b62f6a41b12e1be202dac433f63b21a0cc53b8d9fb1e712f01

  • SHA512

    addaa29853eeb99ca5233bb9ce8c735ad15d7f6680d16eb7489c9d086f3f1861f2aa1e73634f37e853d8510dbd39e73ce8f5b40808e859807a29d0176b25ab5e

  • SSDEEP

    98304:fqopHpbWILpYOeFA9zyULG+FgzZWWvvzarCqA9zyULG+fj2kHkpRKrMA9zyULG+Q:fqoFp3LDeyzLqggzkWvlzLq6j2Gk/KtP

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
    "C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
      C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe" /TN guALCTR926f5 /F
        3⤵
        • Creates scheduled task(s)
        PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN guALCTR926f5 > C:\Users\Admin\AppData\Local\Temp\jLP2psr.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN guALCTR926f5
          4⤵
            PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jLP2psr.xml

      Filesize

      1KB

      MD5

      4fa80912bc08ed5ab4573b1a97664a6b

      SHA1

      9f0a4740f7ac37ad704d2caf316d63ea0180cd72

      SHA256

      37870ae7406289347f107230e13b627ab78bee261cb78146bdf1452419e05370

      SHA512

      59dc18a73e86af116645760a914f157f07a29b1f30870aeeadd6c8d340631c90eed9b8d9178fbdfc70e9c6fd9af293578745d177406821e6e1ca85cf7b3c62d4

    • \Users\Admin\AppData\Local\Temp\c549ae8ce044c1fe52ed0ac8e05abb44.exe

      Filesize

      3.9MB

      MD5

      0691b19a2cb2dd799cec3a2ed86740ad

      SHA1

      4f3566e35f4204e2da4a4f999f8d6b2ad5d24944

      SHA256

      25355c710a9f938740b67331c82d9b117f71b41b8c9b6b63f8f862ee4f1fa6c9

      SHA512

      f4e87f8532c04ff17085ebd9d10018571b708e419355c80714d1e397b8212f9be91fbc1dfa6a9318a82964c9a26c32bbf9be3a7ec9f65035b72eba1e0c3a47bb

    • memory/2780-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2780-2-0x00000000001A0000-0x000000000021E000-memory.dmp

      Filesize

      504KB

    • memory/2780-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2780-16-0x00000000236A0000-0x00000000238FC000-memory.dmp

      Filesize

      2.4MB

    • memory/2780-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/3016-20-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/3016-21-0x0000000000370000-0x00000000003EE000-memory.dmp

      Filesize

      504KB

    • memory/3016-27-0x0000000000470000-0x00000000004DB000-memory.dmp

      Filesize

      428KB

    • memory/3016-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/3016-54-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB