Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 04:56 UTC
Behavioral task
behavioral1
Sample
f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe
Resource
win10v2004-20240419-en
General
-
Target
f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe
-
Size
497KB
-
MD5
1302a044621104433f3c50b46648d898
-
SHA1
162750d2fc2491c113ab85c5e8dd2e3ce773c9ee
-
SHA256
f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f
-
SHA512
9d43417f19e7a10b2d719ab9a97a055da1214d801651754b5bba136bb968174987c14d16bb39365b8ec689e0db09424e9ff860ba9c79c6b207ed27de9c38ec29
-
SSDEEP
6144:J89MAPjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayu:+b1gL5pRTcAkS/3hzN8qE43fm78V6
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral1/memory/2924-29-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/memory/2528-26-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/files/0x00080000000122bf-24.dat UPX behavioral1/memory/2108-21-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/memory/2924-20-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/memory/2748-12-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/memory/2748-0-0x0000000000400000-0x0000000000418000-memory.dmp UPX behavioral1/memory/2108-30-0x0000000000400000-0x0000000000418000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2924 MSWDM.EXE 2108 MSWDM.EXE 2636 F21CCF98DC32F79B995858AEF6396F60D678865717597E699C8BE1FB920ADB5F.EXE 2528 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2924 MSWDM.EXE 2544 Process not Found -
resource yara_rule behavioral1/memory/2924-29-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2528-26-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/files/0x00080000000122bf-24.dat upx behavioral1/memory/2108-21-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2924-20-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2748-12-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2748-0-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2108-30-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe File opened for modification C:\Windows\dev1239.tmp f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2924 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2108 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 28 PID 2748 wrote to memory of 2108 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 28 PID 2748 wrote to memory of 2108 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 28 PID 2748 wrote to memory of 2108 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 28 PID 2748 wrote to memory of 2924 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 29 PID 2748 wrote to memory of 2924 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 29 PID 2748 wrote to memory of 2924 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 29 PID 2748 wrote to memory of 2924 2748 f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe 29 PID 2924 wrote to memory of 2636 2924 MSWDM.EXE 30 PID 2924 wrote to memory of 2636 2924 MSWDM.EXE 30 PID 2924 wrote to memory of 2636 2924 MSWDM.EXE 30 PID 2924 wrote to memory of 2636 2924 MSWDM.EXE 30 PID 2924 wrote to memory of 2528 2924 MSWDM.EXE 32 PID 2924 wrote to memory of 2528 2924 MSWDM.EXE 32 PID 2924 wrote to memory of 2528 2924 MSWDM.EXE 32 PID 2924 wrote to memory of 2528 2924 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe"C:\Users\Admin\AppData\Local\Temp\f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2108
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev1239.tmp!C:\Users\Admin\AppData\Local\Temp\f21ccf98dc32f79b995858aef6396f60d678865717597e699c8be1fb920adb5f.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\F21CCF98DC32F79B995858AEF6396F60D678865717597E699C8BE1FB920ADB5F.EXE
- Executes dropped EXE
PID:2636
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev1239.tmp!C:\Users\Admin\AppData\Local\Temp\F21CCF98DC32F79B995858AEF6396F60D678865717597E699C8BE1FB920ADB5F.EXE!3⤵
- Executes dropped EXE
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD58b4aef2d7b10876bedfc2d94d5bd152f
SHA1a1017d53dcb9407659fc70c27ced4da77d01f33f
SHA256c23788b417a47f7862bca534efe90ca6f2240f34063dc570e32da8bc7083fc93
SHA5125ce19e078e0826f064b224f7e40cc6eca7b65e10bff51fd7bca316efa7b764a9ce208f3a3b86d20bed7f4d682db2c685b4f57508cd7392957dc5473e6068048c
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628