Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 18:46

General

  • Target

    11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

  • Size

    822KB

  • MD5

    1f57fc13c56a4dceed5ef9287677978c

  • SHA1

    6960f54e573c33a09e9cbc1c67394dec3237c355

  • SHA256

    11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3

  • SHA512

    9ddc28dab956886920e83d3ff0847eb3b9163d4f435b23eebffe9dd20775d9a90da59417a36b315cf0e730065663b555819989c913c6e192fc277417dc73603f

  • SSDEEP

    6144:XwynAtMrOVRkidy9yIGWlUiJwzYDteYIpREZPF9xkNbyjUWAZyVVp7BnxeHF:XwKfOVRo9yRYzwzYDteYIpREf9eqVUl

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
    "C:\Users\Admin\AppData\Local\Temp\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024
    • \??\c:\program files (x86)\common files\microsoft shared\ink\microsoftmicaut.exe
      "c:\program files (x86)\common files\microsoft shared\ink\microsoftmicaut.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2400
    • \??\c:\program files (x86)\common files\microsoft shared\help\informationmicrosoftr.exe
      "c:\program files (x86)\common files\microsoft shared\help\informationmicrosoftr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1532
    • \??\c:\program files (x86)\windows nt\tabletextservice\es-es\operatingwindows.exe
      "c:\program files (x86)\windows nt\tabletextservice\es-es\operatingwindows.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3028
    • \??\c:\program files (x86)\common files\system\msadc\en-us\systemmsadcer.exe
      "c:\program files (x86)\common files\system\msadc\en-us\systemmsadcer.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\System\msadc\en-US\RCX5E0D.tmp

    Filesize

    824KB

    MD5

    82110c77edc4f51477e8ae5867930605

    SHA1

    b6b8e60fbb34a35d90c7a3149b9d60eeb56f6e21

    SHA256

    93148b182001a6c3ad694a791588b0b1619d561e0f1ab6f1b4303c993ddf9508

    SHA512

    1d6b575f55a5965f681929572594f45c728de1e120c80192e2a8c6d12a6918500e9a30ee1919bc32f95e0f124b6e90b257e6ddfb25e6975d65937552385da6ce

  • C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OperatingWindows.exe

    Filesize

    822KB

    MD5

    1f57fc13c56a4dceed5ef9287677978c

    SHA1

    6960f54e573c33a09e9cbc1c67394dec3237c355

    SHA256

    11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3

    SHA512

    9ddc28dab956886920e83d3ff0847eb3b9163d4f435b23eebffe9dd20775d9a90da59417a36b315cf0e730065663b555819989c913c6e192fc277417dc73603f