Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 03:21

General

  • Target

    33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe

  • Size

    3.0MB

  • MD5

    df7a1a3dda3ef1e2dbf4837052ec6a2a

  • SHA1

    b54a7a9cbfebba7577ee212416c86768850511d0

  • SHA256

    33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458

  • SHA512

    19f0800d814c33ccc2f3dd548b0b4b92d81c97f29404d67e9962bd9a16545a63c9413520aa84f1d2aac8f822a6260b4326f05b8585c060aa3c41e778294acde8

  • SSDEEP

    49152:ZcburWWS6FKmeAxAfovAF6RKcBQbx+29uWV9D489N:iburtzFKmeoAAvAF6RK/N91PM+N

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
    "C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\taskkill.exe
        TASKKILL /F /PID 1984
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
        NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.bat

    Filesize

    145B

    MD5

    b6b72ff84e197b22b11b346ec1f70f23

    SHA1

    139c08a52483928850b354c2f5b1274a2ad020ce

    SHA256

    4dfeef0e7da5fe70545c7ab9d1711a05e8abd590009072c02b113cfe669f9bb4

    SHA512

    e3733d9b75a607de1a5e88f999c7b123cf3c3dbc62c588e849bbec45d81f97a50bb37950af14a3a8af184865cb65fcdbbe62709b3ab5e2333ea7c576d805cc54

  • \Users\Admin\AppData\Local\Temp\NSUDOLC.exe

    Filesize

    99KB

    MD5

    0ac3e9d59309f599403ac51615bfe41b

    SHA1

    9041c5562558cb58ac98bd18de3c0ce370a59e1f

    SHA256

    6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

    SHA512

    e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910