Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/04/2024, 08:54

240417-kt955aad45 7

17/04/2024, 08:54

240417-kt9jlaad44 7

17/04/2024, 08:54

240417-kt8masad42 7

17/04/2024, 08:54

240417-kt8bjabh6x 7

17/04/2024, 08:54

240417-kt7p1abh6w 7

17/04/2024, 06:26

240417-g7dsashd8w 7

Analysis

  • max time kernel
    192s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20240319-en
  • resource tags

    arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/04/2024, 08:54

General

  • Target

    ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe

  • Size

    14.1MB

  • MD5

    ca8759c6ed97044b07af776617d63e60

  • SHA1

    8d9c7a6ae0d7b04965881640f890fb824e17aa15

  • SHA256

    ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352

  • SHA512

    8c90dbb2d346c52d6c0a2a34df3fa4258c573df654a57e9a2d1304b55e770a18f9ff8d7c5006e9ec3e3890e27723516ada82d10429666d3985dabe6ce2166c36

  • SSDEEP

    196608:zCKlOXcCT0AdpHeFsfghvbxyUPbHjTV2JOogd3dB3q91okxWeOZSzsvwQv/bUYLH:WSuQsoNxDV6oNr3qoL3Zy6wQvjUeWw

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe
    "C:\Users\Admin\AppData\Local\Temp\ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        3⤵
        • Creates scheduled task(s)
        PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\32.exe

    Filesize

    6.7MB

    MD5

    8c6d737d2266a938b8e771b661005e17

    SHA1

    94c29a32cac2540ffd996a97ada23a14504441d6

    SHA256

    f19a0113ff2e113dbb719a6851242aff2cd7463e9766eaafedc00cf3326513d9

    SHA512

    fcf801bb69cd76d0f0507a37f6b121fe90d9539101df0dd54d8acc56bf37a2af1ef64067dc2a850471ef9871d350cd6ec61997ba7acfb88117f6a8da3a2270df

  • C:\Users\Admin\AppData\Local\Temp\64.exe

    Filesize

    7.2MB

    MD5

    211f02e41dac48e00425276ecacfb4aa

    SHA1

    1f14aa92dcf21c82d20b953b42e18c46cf430dba

    SHA256

    193276f5205f9e85066726c045ce1277059ff095ac21bc0801c4b95960898845

    SHA512

    03e0bfb1cc8b09d3601bb5612622a4e79943077c22accad53d04fba441747bcd6ca2e58e3f161a2249f03bec84fadf3c1def263acc3be3ab3c8e5fe9a96c7975

  • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

    Filesize

    722KB

    MD5

    43141e85e7c36e31b52b22ab94d5e574

    SHA1

    cfd7079a9b268d84b856dc668edbb9ab9ef35312

    SHA256

    ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    SHA512

    9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

  • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

    Filesize

    12.8MB

    MD5

    34c5a0f1e8e6bb660d79bafb4847ef3e

    SHA1

    92470fcb2e0b9cece22ad621e69a0767e002c029

    SHA256

    bb683ad4e14fffa2b9e852f0d1a51eb0218798502962c655f98d68a1bc3cc670

    SHA512

    c4d496de0463cb7795a43de43b0c89fd8dca5ef33e98beea01bdfe05f7e0c41328096a7e67913df72c7d086ae512537273ba05cea9847221cee5595b10b4e48a

  • C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

    Filesize

    2KB

    MD5

    9160347bec74471e1a79edfd950629ae

    SHA1

    c149a7e5aab6e349a70b7b458d0eaaa9d301c790

    SHA256

    0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

    SHA512

    b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

  • C:\Users\Admin\AppData\Local\Temp\autA141.tmp

    Filesize

    12.8MB

    MD5

    c80b046f7570cbb66be8162691ec5cbd

    SHA1

    71f42723bc23f6ca62295d84f444f80e29794372

    SHA256

    e26b37f53825e059fad1bd7ed23fed1bca84e1bdd65cb466bcd370e5340de4f3

    SHA512

    84bc317c3eb8a405ba5793153d782a04073d42381304568f9950466464e127126bc206e928a2ba19d05974dfdd7ae3083663a73033b185eea6b4d5ac67c175dc

  • memory/2232-23-0x0000000001230000-0x0000000001231000-memory.dmp

    Filesize

    4KB

  • memory/2232-26-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

    Filesize

    4KB

  • memory/2232-27-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

    Filesize

    4KB

  • memory/2232-25-0x0000000001240000-0x0000000001241000-memory.dmp

    Filesize

    4KB