Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26/03/2024, 01:53
General
-
Target
c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
-
Size
678KB
-
MD5
7d137e6d226fbac1929470bad2e491a4
-
SHA1
8ade719638ad770b75f056515a9ba9b002e173cc
-
SHA256
c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b
-
SHA512
94ac28a918371eef7db0b87724a95f802fb8f50ad02372ae71b1c75c283bb51d714395c8ac19c05d20362b3756f66227c0354c5da135844341ee36603f4c30e8
-
SSDEEP
12288:FLTA8PHO5mU0It6qqHfB3VhOR+p67OhZv2SI3u:9TA8PO5mU16/HtjDhZH
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe"C:\Users\Admin\AppData\Local\Temp\c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Archurger=Get-Content 'C:\Users\Admin\AppData\Roaming\enomaniac\Biomolecule\Shopmaid.Gra';$Ervin=$Archurger.SubString(62607,3);.$Ervin($Archurger)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5d003bc3b0862bfceec3a0869b7872b8a
SHA1477a3475ffe393390c6faf530887d0d162662feb
SHA256994c3a38ec25e17024e4260571b946d006aac11fcceb754bc68e18d13c394b51
SHA512ae2a0a61e7d03afd55ede91c0712d89fa9b4504ac9b5db23a7e5f30d8a1fb226e71e9c6383bd1ec55b15cef61e952124b44f77cafd74aa5af4db6d7a92dab88a
-
Filesize
321KB
MD5d4d2d97c9182b359fa8cc28fba4cb5f8
SHA193c12c72a585db9d5a2f9316437b75d652209bbe
SHA2569c9b2adabaaca93b0da17d0c8562b3a22db406c1e3ba0a13b39932b848418d78
SHA512e1ea667cbf530fcea7d7f13bb6c5cee3a0759403034b27754576b9a8f9db7bd5e6d2b68460728b16325d919133349ade192b2755b80413ff26b51cb3befba953
-
Filesize
37.8MB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
37.8MB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
1024KB
-
Filesize
16KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
37.8MB
-
Filesize
1.7MB
-
Filesize
856KB
-
Filesize
37.8MB
-
Filesize
37.8MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
37.8MB