Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4423890.rar

windows7-x64

10

4423890.rar

windows10-2004-x64

3

Resubmissions

15/05/2024, 11:58 UTC

240515-n495nagc6y 10

15/05/2024, 11:54 UTC

240515-n3d1tsgd33 4

15/05/2024, 09:22 UTC

240515-lb8p1sba32 10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 09:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4423890.rar

  • Size

    11.2MB

  • MD5

    ff7553a8d62ba75491119628aa7ede6e

  • SHA1

    105b16f65c61570fd9c6ff2077597ba626026cda

  • SHA256

    58fb41c622cfccae8febc06e0c04f25bdb613a5b260ae6f404e9d0eda5ea86ab

  • SHA512

    ee01b5273fa7fb49eb8f55b995174bb869ebe77854427c4691e8980f5c2b49eef66a9e3fc8ecb6dd2388f390423318653b3573d1002af3124c70a42ed5815c22

  • SSDEEP

    196608:f9VizBum/MJuS5PuZBv5z7/AGUnfbhI7epRSv6EjBGu0wcDGIuPJGopuS5R:X4BF/GuS5PuZLQGOfeavSNjgu0tiI1o/

Score
10/10
darktrackevasionpersistenceratstealerthemidatrojanupx

Malware Config

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack payload 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\4423890.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4423890.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2728
  • C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe
    "C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapros.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1368
      • C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
        C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2124
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2812

    Network

      No results found
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       80 B
       3
      2
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    • 94.156.79.57:1443
      AddInProcess32.exe
      152 B
       120 B
       3
      3
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
      Filesize

      11.2MB

      MD5

      d483c1a9718cf5d880b3cce5d6ff7423

      SHA1

      72be5e949dd6923a43e7eaab1811baea4bc4b644

      SHA256

      8df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd

      SHA512

      370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zapros.docx
      Filesize

      11KB

      MD5

      9871272af8b06b484f0529c10350a910

      SHA1

      707979b027f371989fb71e36795b652a2d466592

      SHA256

      c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3

      SHA512

      5bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      6158a5651dbc0fce3e27232e90226ed4

      SHA1

      9ab2bc42d552be5846ba751de94083119f483f71

      SHA256

      10167047239611ecefe7096f1507dc1a0e290072e3ca0f2ce1887e54a685d15b

      SHA512

      bf10ebf6985316d7b638389ae9c695f50c1151b9e8fa48561b0d3a6eab7ab2f69e8e76a9affad252d87af04e5970803a73c9aa85f21147c1ddf63d5a18dcedee

      Download Submit

    • C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe
      Filesize

      11.3MB

      MD5

      45ae0c08a1fb98fe77e4cd127b79ef7d

      SHA1

      12c7847fc2567ee9e6c0010f5c311753c017fa48

      SHA256

      bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e

      SHA512

      21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd

      Download Submit

    • memory/2124-70-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-73-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-75-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-74-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-72-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-71-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-58-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-60-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-62-0x0000000000400000-0x00000000004A8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/2124-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2348-53-0x0000000000400000-0x0000000001F60000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2348-56-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2348-78-0x0000000000400000-0x0000000001F60000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2348-44-0x0000000000400000-0x0000000001F60000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2348-52-0x0000000000400000-0x0000000001F60000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2348-54-0x00000000021A0000-0x00000000021E4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2348-57-0x0000000006150000-0x0000000006156000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2356-43-0x0000000003740000-0x00000000052A0000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2356-42-0x0000000003740000-0x00000000052A0000-memory.dmp

      Filesize

      27.4MB

      Download

    • memory/2488-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2488-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2812-68-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2812-67-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.