Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240412-en
General
-
Target
tmp.exe
-
Size
69.8MB
-
MD5
dabe0e2b2f4e649d2fd3b6f6a70598ae
-
SHA1
d9063f4b80865ab39dff5bb6fa6563093ec755fe
-
SHA256
ec5c3420cfb120442b655cefbeba07d4dd5da3a4c3528d0584a45bb342a1e882
-
SHA512
3dbbae4d36b8001583e60880bec0ca53383bfa5758f79b82560c2af098866128ce74aaee7a1fc5bc62de60ccfe00d8434a97d36186f9ae53875cfb3e44933b55
-
SSDEEP
1572864:4EElPoG/DteDYfOD4qDGAvn7Bo7MyDT+dEHUQvshLBs51o076JkDCJ:4FPoG/BemORB1ydGE0Q0BO5q07s
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3068 Windows.exe 2120 Windows.exe -
Loads dropped DLL 10 IoCs
pid Process 1772 tmp.exe 2164 Process not Found 3068 Windows.exe 2120 Windows.exe 2120 Windows.exe 2120 Windows.exe 2120 Windows.exe 2120 Windows.exe 2120 Windows.exe 2120 Windows.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x000c00000001224c-130.dat pdf_with_link_action -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0028000000016b5e-10.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2420 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2420 AcroRd32.exe 2420 AcroRd32.exe 2420 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1772 wrote to memory of 3068 1772 tmp.exe 28 PID 1772 wrote to memory of 3068 1772 tmp.exe 28 PID 1772 wrote to memory of 3068 1772 tmp.exe 28 PID 1772 wrote to memory of 2420 1772 tmp.exe 31 PID 1772 wrote to memory of 2420 1772 tmp.exe 31 PID 1772 wrote to memory of 2420 1772 tmp.exe 31 PID 1772 wrote to memory of 2420 1772 tmp.exe 31 PID 3068 wrote to memory of 2120 3068 Windows.exe 32 PID 3068 wrote to memory of 2120 3068 Windows.exe 32 PID 3068 wrote to memory of 2120 3068 Windows.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\HEATHROW OUTSOURCING COMPANIES LTD.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD587c136267ab6577cbc2af8352818edeb
SHA1de6d15b6f100a3d45ea501583c9fc75fd613e697
SHA2569c40c03405355394617e12ee6a65d8ea63c20e76e8ae0f2c5a8283cfb616531b
SHA512ca6c3995db2551e4eb549d3832d1b193a0dd773bcbf0185664ef703d80241aa1738aa0a53fb0f2ade0bc24801c03ad29141b78e1cc96efed99600d92ceb4f2c5
-
Filesize
69.9MB
MD55791334672fdee023d825d65b3a761e6
SHA130e7c3f1c14c8accc472b4351a2de2ce97aeab34
SHA25603940fb528161993d3c6234d8a9e35e0803ad8be2c36583b9a82643e14c6362b
SHA5120503378b9156d147aa2c8f8d819d5d31ad79f6559e9eea5b91ae2f8282fe0d8072459320fa3d32d711e1c83b66091ba825baca3b301d3fc1c3a1aa7529f78bb0
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD54380d56a3b83ca19ea269747c9b8302b
SHA10c4427f6f0f367d180d37fc10ecbe6534ef6469c
SHA256a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a
SHA5121c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4
-
Filesize
6.7MB
MD548ebfefa21b480a9b0dbfc3364e1d066
SHA1b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA2560cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA5124e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
3KB
MD50de814b2b893ae5d92a26faf9f6fbae3
SHA11fae6d11389af2bdc74b3fec00c27e7da0ef7d43
SHA25666b395738de92da68b07bace5ba3c97d3e1d0dcd434f9bd22759860e17159026
SHA512cd1838016ee6112b4827346f90e9ce3bc1c9667ead9e4614dda13bfa2dade1fe29d21dbd2e2513ae4eccbd0488a9c14c4f7133ccb1f4af399537bb4dd31bb847
-
Filesize
21KB
MD5bcb8b9f6606d4094270b6d9b2ed92139
SHA1bd55e985db649eadcb444857beed397362a2ba7b
SHA256fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9
-
Filesize
21KB
MD520ddf543a1abe7aee845de1ec1d3aa8e
SHA10eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA51296dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd
-
Filesize
21KB
MD52554060f26e548a089cab427990aacdf
SHA18cc7a44a16d6b0a6b7ed444e68990ff296d712fe
SHA2565ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044
SHA512fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506