Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29/04/2024, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe
Resource
win10v2004-20240419-en
General
-
Target
63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe
-
Size
332KB
-
MD5
40d48de1461d1fe01fb4a1faf1f5f4e9
-
SHA1
aff2ab72069a4ba56ab6635dabf0bafb8259623c
-
SHA256
63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1
-
SHA512
21407b8cf58ff5abb47ff7f20856f154c93dbc2f727579d152bfca43fe5932a1e62aae72f00c9237964637f88c827a25872a34c0664c51a4cca0c7670b94e1d7
-
SSDEEP
6144:2hGiVdIhfuqeT5poLFPj52lvx5ZJ1pvaCqehyNh:2hVdIwT30dj52lXZJ9q4ah
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2832 eccstpf.exe -
Loads dropped DLL 3 IoCs
pid Process 2832 eccstpf.exe 2832 eccstpf.exe 2832 eccstpf.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\qtlrtjl.dll eccstpf.exe File created C:\PROGRA~3\Mozilla\eccstpf.exe 63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2888 63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe 2832 eccstpf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29 PID 2388 wrote to memory of 2832 2388 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe"C:\Users\Admin\AppData\Local\Temp\63966f9f796dc8cbde744ac71c4d46a65f7646792b98bb4bc4b53dcb9ac163f1.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2888
-
C:\Windows\system32\taskeng.exetaskeng.exe {43104A2F-AC58-4EAB-892D-9FD05139F821} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\PROGRA~3\Mozilla\eccstpf.exeC:\PROGRA~3\Mozilla\eccstpf.exe -ufgsyxd2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD530de6a72aef6965c7ed208f5714151ec
SHA1a27f892f13d218648d3582bfb64e5fa4ab8273d6
SHA2560707ff1a6704faf6007b087c84dc5792332fd6e6a52378d0e998981ac19dc849
SHA5129d292ee4bae9d5773db549661e67684c1b2a96d9b54628c8eff2d565436c82067ddcc1e95284122edb92c720374e5a6a026c4f4ca8046c95d76d040d886fc8f4