Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 23:53
Static task
static1
Behavioral task
behavioral1
Sample
83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Resource
win10v2004-20240426-en
General
-
Target
83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
-
Size
89KB
-
MD5
2e3302c4952f77f99b178fd739e82491
-
SHA1
80ac4d1e9daf74619d71d5a625619be4f79d20b4
-
SHA256
83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e
-
SHA512
5091e25bee1cd5bc41f3c26b6e349d098a8a48c85ffd6be1fc45356edbc307cfe8847fb290d652150a91f2eaac3ba04e0c917a3808d44cbdf64adb16d73aee06
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FfgG+stEToa9D4ZQKbgZi1dst7x9Pxp:HQC/yj5JO3MnfgG++lZQKbgZi1St7xp
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2988-3-0x00000000001B0000-0x00000000001CB000-memory.dmp UPX behavioral1/files/0x000b0000000155e2-15.dat UPX behavioral1/memory/2888-22-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2884-20-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2988-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2884-32-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x0007000000015c69-30.dat UPX behavioral1/memory/2380-29-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2888-33-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2884 MSWDM.EXE 2888 MSWDM.EXE 2628 83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE 2380 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 2884 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe File opened for modification C:\Windows\dev8CD5.tmp 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe File opened for modification C:\Windows\dev8CD5.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2884 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2888 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 28 PID 2988 wrote to memory of 2888 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 28 PID 2988 wrote to memory of 2888 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 28 PID 2988 wrote to memory of 2888 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 28 PID 2988 wrote to memory of 2884 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 29 PID 2988 wrote to memory of 2884 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 29 PID 2988 wrote to memory of 2884 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 29 PID 2988 wrote to memory of 2884 2988 83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe 29 PID 2884 wrote to memory of 2628 2884 MSWDM.EXE 30 PID 2884 wrote to memory of 2628 2884 MSWDM.EXE 30 PID 2884 wrote to memory of 2628 2884 MSWDM.EXE 30 PID 2884 wrote to memory of 2628 2884 MSWDM.EXE 30 PID 2884 wrote to memory of 2380 2884 MSWDM.EXE 31 PID 2884 wrote to memory of 2380 2884 MSWDM.EXE 31 PID 2884 wrote to memory of 2380 2884 MSWDM.EXE 31 PID 2884 wrote to memory of 2380 2884 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe"C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2888
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev8CD5.tmp!C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
- Executes dropped EXE
PID:2628
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev8CD5.tmp!C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2380
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
Filesize89KB
MD5333e6b79d1d1947e7ca44492cd96c833
SHA12ad154740297258c4e2cca2a72d18e2c6ff0770f
SHA256a4e0f59d8448fa771c07de2a2427db5ea40e8720721fffe04858063a0a68c90f
SHA5124c0e5f9536d1efd21da3494c5a02d03c8eeb76f10e964802191503fc7523d8c3c9f79de3a6558753058e9e37d68b2b8d30713bdaa4ca54ccf8f92ecd3c66751a
-
Filesize
47KB
MD50899c12880bb71740aaeef618b3133b2
SHA19370dab734f42f59d4ae434e7644e7d7ba9507b1
SHA256f6faa1e11b030e5640af5c5a96bce67ef928a723a003c71846ca668d58d155b1
SHA512b5c825f19c1a27cb4eecb059ae08c339f701620f983f8db2ad76354d8e98c89ec2249855241fe16cc7384316f8d062000b060c7c8891d5b426281306dd32bac4
-
Filesize
41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5