Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 17:18

General

  • Target

    c92cb70677786b3e4d7e761c564c9a2d.exe

  • Size

    3.0MB

  • MD5

    c92cb70677786b3e4d7e761c564c9a2d

  • SHA1

    8e7f75003b5bbc0ba41000c54dd8717b32408b1f

  • SHA256

    744e9998edb7fb4f6382c07d12baf98d348c6170723c52c29d471cdfdc0613fd

  • SHA512

    5ccff2e84e93f6c71a20c67cd5de5c63b5dd9caedd15c557fbaa75cdbe8a4a179a9780e53447220e7862678e8151a04613fe503d7f4359607d1df2714c55838f

  • SSDEEP

    49152:GBwLRC2cakLVy5dv5sgpkB5+PcakLdI1eageTdHpPYV0cakLVy5dv5sgpkB5+Pcl:YWC2cakhy595sgp9cakBVageTlpPYV06

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
    "C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
      C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe" /TN 5xzkGEJ1bdbc /F
        3⤵
        • Creates scheduled task(s)
        PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\dFcDxA.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
          4⤵
            PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe

      Filesize

      3.0MB

      MD5

      2c4184274bfafda3bdf052d8393d3fdd

      SHA1

      b8f9b05595d9013f42bd7d875d401933b453c43c

      SHA256

      02e1172342549cd16ffb843de22aeefe192373f0457d1c9fe8804689a5c51be0

      SHA512

      1192e1275b470f05fa6f22390efd844623db4d1b77b7a7a7fdef4fb47c911b64b3b1337e2ab3aebd2088c1c6f005f48c81f0b726f81d100c5a254303d84b6960

    • C:\Users\Admin\AppData\Local\Temp\dFcDxA.xml

      Filesize

      1KB

      MD5

      7611ad0d6b949c2069cc1f5d6105a684

      SHA1

      8a5639874276e3edf2ce8b1ef19dcd50419b86b6

      SHA256

      c21008f58142ea285f3372dadec409e1ebefc2e13590f79ba63963570991a7e7

      SHA512

      f414d1d7bde5c8d56acd3f82d958f950833edad6de4f5a6b72e044f83f68d39ee66c1977e68bc17922c36e7e12ae3c0ffbb9e7bca485e753b33d6491f2000300

    • \Users\Admin\AppData\Local\Temp\c92cb70677786b3e4d7e761c564c9a2d.exe

      Filesize

      768KB

      MD5

      6d47e17d1c03f962bb8967053544efeb

      SHA1

      a5866e72518b678635e05ba15a210be4236634dc

      SHA256

      f5d141f745804b80282f4a87e242a9937e882a988eeb9bfd951824eba789f812

      SHA512

      c7ea64cb1068debd3d66689fc7c2798f36b0d1d46fe321817a597ded273aa914200df1e4280285a329024092b5347d91f68bdf750ce595960b30c5665f125744

    • memory/1948-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

      Filesize

      504KB

    • memory/1948-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1948-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1948-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/1948-16-0x0000000023430000-0x000000002368C000-memory.dmp

      Filesize

      2.4MB

    • memory/2148-19-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2148-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2148-30-0x00000000001E0000-0x000000000024B000-memory.dmp

      Filesize

      428KB

    • memory/2148-21-0x00000000002D0000-0x000000000034E000-memory.dmp

      Filesize

      504KB

    • memory/2148-54-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB