Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 07:30

General

  • Target

    c80d627107db611cb805b7fdce880030.exe

  • Size

    63KB

  • MD5

    c80d627107db611cb805b7fdce880030

  • SHA1

    efacc489df7020f605953c9bd16afbccc09e2824

  • SHA256

    ea933832e2b54394e17c2ca51f5d0e42a9a76dd1f6e3c0439d1415f77fa31548

  • SHA512

    f6532255995ba423ca954c099c696368f19c57cf85052fe74a94578ae6205dd0a5bb07295ca32d390b7c0535e54cca82020c54593b1f7018d3fa4a048c08850a

  • SSDEEP

    1536:UjV8OL2JLAEEbBow9551m5HwgvTnjrrzQgPZT4rNuGOVm5SvDqm7UZdyhG:UJ8ZJYBoM1m5RznrzQq6rNBfgzY48

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Modifies Shared Task Scheduler registry keys 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe
    "C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe
      "C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe"
      2⤵
      • Modifies Shared Task Scheduler registry keys
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\wndutl32.dll,load
        3⤵
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Modifies Shared Task Scheduler registry keys
        • Loads dropped DLL
        • Windows security modification
        • Sets desktop wallpaper using registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • System policy modification
        PID:2372
    • C:\Users\Admin\AppData\Local\Temp\load.exe
      "C:\Users\Admin\AppData\Local\Temp\load.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\load.exe"
        3⤵
          PID:2380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\dropper_286962.exe

      Filesize

      43KB

      MD5

      df0ad057821a5a5218125a7cf7375813

      SHA1

      0195d399cc9c705f70b06d8a9dd16fd50d494f16

      SHA256

      98ae0c7ec0479ae48fe9deaa6d5f16d733248a8ecd3137e213e2c84221881d75

      SHA512

      a05f64df4431414467e25b71af1c50e09c73b0eb85e2b6f9011393d837fcc56bf9c93857867c0ab71e7da3ba52e2a5693ca10a8a2c6bcb8ff54e5971c7db2016

    • \Users\Admin\AppData\Local\Temp\load.exe

      Filesize

      9KB

      MD5

      2074d9f84dabdaa9eca10d550797740c

      SHA1

      ae5c559a7c167c716bfd4c1fbdf6582a9112625a

      SHA256

      3e27f5e6be8ca368e9f49fbb0af15b253ad9f1a719248992a85fdc50d4d781ab

      SHA512

      b486868fa9dcf2dfac2069998c3a580ba8fe12a9dcba7bf4cfd44d06b021d53ef29ba4415a2780c8d239f708015f00b54c2b32e3ac869f792ae6d633c71d4589

    • \Users\Admin\AppData\Local\Temp\wndutl32.dll

      Filesize

      13KB

      MD5

      566881585b351cdcc4f66648c6b98a58

      SHA1

      fc996cda1a168532d6d7e899c4bb1684199262bb

      SHA256

      5bd5db0388afdc882eb196a9e03681944ef10cba658eef11fb89feac0eed4e30

      SHA512

      cc16ea70971a995a6788112e0a58a686272f18352d881274af3ec7d5a274edb30e3a910c0dc0a657f6c310475e959c853551dc350555f7c8add4d3613c66580c

    • memory/1912-23-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/1912-1-0x0000000000220000-0x000000000022F000-memory.dmp

      Filesize

      60KB

    • memory/1912-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/1912-4-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/2560-32-0x0000000000220000-0x0000000000222000-memory.dmp

      Filesize

      8KB

    • memory/2560-27-0x0000000000400000-0x000000000090A000-memory.dmp

      Filesize

      5.0MB

    • memory/2560-41-0x0000000000400000-0x000000000090A000-memory.dmp

      Filesize

      5.0MB

    • memory/2936-24-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/2936-15-0x0000000000220000-0x000000000022A000-memory.dmp

      Filesize

      40KB

    • memory/2936-14-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/2936-40-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB