Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/04/2024, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Resource
win10v2004-20240419-en
General
-
Target
eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
-
Size
311KB
-
MD5
977e0bcc5005532e772979593262f9f4
-
SHA1
50e847ca2fdad9d4b4cd3c3148989aade8b3acbb
-
SHA256
eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b
-
SHA512
2806fb66f6f55d510f672f70d1f5a2680c1faa70f4421816a9df526ba3c13803fa8be6ce4f5e24fc0892c3f643a8d753bf6e14ae8e29158ef46957e596d58038
-
SSDEEP
3072:HQC/yj5JO3MnSG+Hu54Fx4xE8pLRkgUA1nQZwFGVO4Mqg+WDF:wlj7cMnL+OEXOLRp1nQ4QLs
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral1/memory/2936-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x000c00000001450b-5.dat UPX behavioral1/memory/2936-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1680-15-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1732-32-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x0010000000014b12-30.dat UPX behavioral1/memory/2672-29-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2672-24-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1680-33-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 1680 MSWDM.EXE 1732 MSWDM.EXE 3044 EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE 2672 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 1732 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe File opened for modification C:\Windows\dev13BF.tmp eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe File opened for modification C:\Windows\dev13BF.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1732 MSWDM.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2936 wrote to memory of 1680 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 28 PID 2936 wrote to memory of 1680 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 28 PID 2936 wrote to memory of 1680 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 28 PID 2936 wrote to memory of 1680 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 28 PID 2936 wrote to memory of 1732 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 29 PID 2936 wrote to memory of 1732 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 29 PID 2936 wrote to memory of 1732 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 29 PID 2936 wrote to memory of 1732 2936 eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe 29 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 3044 1732 MSWDM.EXE 30 PID 1732 wrote to memory of 2672 1732 MSWDM.EXE 31 PID 1732 wrote to memory of 2672 1732 MSWDM.EXE 31 PID 1732 wrote to memory of 2672 1732 MSWDM.EXE 31 PID 1732 wrote to memory of 2672 1732 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe"C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1680
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev13BF.tmp!C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
- Executes dropped EXE
PID:3044
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev13BF.tmp!C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
Filesize311KB
MD582b4bcf5dff9ad9ec63d24cfeff17de0
SHA1a1901b8aae1ac260583a1d22250b75521d5d838d
SHA256ae42814f7e3395b777f36c61ebaeddb556a191dbfba16c5481b34fd317107743
SHA512def55d81d85c548a3b2ce7c2b13cb2f4f95ab54ccb58cab9134f8051c23716af1863d3908702f74358f62e1e0721ca1cf6fed846ff4c03ba54e631d7e7b35421
-
Filesize
80KB
MD5c0a13d8c5d6be0da0ba14bd33b85796c
SHA1e7e587443835ee91ad94bb0dfdd455154f5f4601
SHA256c0b7ba4c7b2f95c9ba4f9456dc998c95a65985bd0e4a81db6ae67fc68cfad932
SHA512f76f6af92aedc1092e437438df9fe44af60908c56e52cc3ae7148252fbc7d846171f725e2f8427de450237db22ce0a8519f75888ed74db1c9646188ace499524
-
Filesize
231KB
MD56f581a41167d2d484fcba20e6fc3c39a
SHA1d48de48d24101b9baaa24f674066577e38e6b75c
SHA2563eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6