Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 16:07

General

  • Target

    tmp.exe

  • Size

    69.8MB

  • MD5

    dabe0e2b2f4e649d2fd3b6f6a70598ae

  • SHA1

    d9063f4b80865ab39dff5bb6fa6563093ec755fe

  • SHA256

    ec5c3420cfb120442b655cefbeba07d4dd5da3a4c3528d0584a45bb342a1e882

  • SHA512

    3dbbae4d36b8001583e60880bec0ca53383bfa5758f79b82560c2af098866128ce74aaee7a1fc5bc62de60ccfe00d8434a97d36186f9ae53875cfb3e44933b55

  • SSDEEP

    1572864:4EElPoG/DteDYfOD4qDGAvn7Bo7MyDT+dEHUQvshLBs51o076JkDCJ:4FPoG/BemORB1ydGE0Q0BO5q07s

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Local\Temp\Windows.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\Windows.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2120
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\HEATHROW OUTSOURCING COMPANIES LTD.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HEATHROW OUTSOURCING COMPANIES LTD.pdf

    Filesize

    55KB

    MD5

    87c136267ab6577cbc2af8352818edeb

    SHA1

    de6d15b6f100a3d45ea501583c9fc75fd613e697

    SHA256

    9c40c03405355394617e12ee6a65d8ea63c20e76e8ae0f2c5a8283cfb616531b

    SHA512

    ca6c3995db2551e4eb549d3832d1b193a0dd773bcbf0185664ef703d80241aa1738aa0a53fb0f2ade0bc24801c03ad29141b78e1cc96efed99600d92ceb4f2c5

  • C:\Users\Admin\AppData\Local\Temp\Windows.exe

    Filesize

    69.9MB

    MD5

    5791334672fdee023d825d65b3a761e6

    SHA1

    30e7c3f1c14c8accc472b4351a2de2ce97aeab34

    SHA256

    03940fb528161993d3c6234d8a9e35e0803ad8be2c36583b9a82643e14c6362b

    SHA512

    0503378b9156d147aa2c8f8d819d5d31ad79f6559e9eea5b91ae2f8282fe0d8072459320fa3d32d711e1c83b66091ba825baca3b301d3fc1c3a1aa7529f78bb0

  • C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l2-1-0.dll

    Filesize

    18KB

    MD5

    bfffa7117fd9b1622c66d949bac3f1d7

    SHA1

    402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

    SHA256

    1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

    SHA512

    b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

  • C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-1.dll

    Filesize

    21KB

    MD5

    4380d56a3b83ca19ea269747c9b8302b

    SHA1

    0c4427f6f0f367d180d37fc10ecbe6534ef6469c

    SHA256

    a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

    SHA512

    1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

  • C:\Users\Admin\AppData\Local\Temp\_MEI30682\python312.dll

    Filesize

    6.7MB

    MD5

    48ebfefa21b480a9b0dbfc3364e1d066

    SHA1

    b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

    SHA256

    0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

    SHA512

    4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

  • C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

    Filesize

    992KB

    MD5

    0e0bac3d1dcc1833eae4e3e4cf83c4ef

    SHA1

    4189f4459c54e69c6d3155a82524bda7549a75a6

    SHA256

    8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

    SHA512

    a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    0de814b2b893ae5d92a26faf9f6fbae3

    SHA1

    1fae6d11389af2bdc74b3fec00c27e7da0ef7d43

    SHA256

    66b395738de92da68b07bace5ba3c97d3e1d0dcd434f9bd22759860e17159026

    SHA512

    cd1838016ee6112b4827346f90e9ce3bc1c9667ead9e4614dda13bfa2dade1fe29d21dbd2e2513ae4eccbd0488a9c14c4f7133ccb1f4af399537bb4dd31bb847

  • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-2-0.dll

    Filesize

    21KB

    MD5

    bcb8b9f6606d4094270b6d9b2ed92139

    SHA1

    bd55e985db649eadcb444857beed397362a2ba7b

    SHA256

    fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

    SHA512

    869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

  • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-localization-l1-2-0.dll

    Filesize

    21KB

    MD5

    20ddf543a1abe7aee845de1ec1d3aa8e

    SHA1

    0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

    SHA256

    d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

    SHA512

    96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

  • \Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-timezone-l1-1-0.dll

    Filesize

    21KB

    MD5

    2554060f26e548a089cab427990aacdf

    SHA1

    8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

    SHA256

    5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

    SHA512

    fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

  • memory/1772-16-0x0000000002F70000-0x0000000002F80000-memory.dmp

    Filesize

    64KB