Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 00:19

General

  • Target

    2343220820185117653724284721341YRWYRRRET56556U P1DF.exe

  • Size

    1.6MB

  • MD5

    c199e8c1d6d78839bbe8c246fe1189fa

  • SHA1

    2751846150be33e07814bffbb93f17cd75976067

  • SHA256

    c98348acfaf93dc66a8b44cd00303670222fcdf59ad3eb1d3ab5ad1d3b1ef92a

  • SHA512

    67ee203a202e1db3068a22839cf7f8ff1c932fb706a9baae6ce252d10fbe0e600647703ccbfe25b08710b14c96203f2d52f57e2310926ca96b8ef31fbbd307e9

  • SSDEEP

    24576:CoI3PGDYjSaOdiSFQY8ncjr5yKg7VwmhXtqh2wQK:+pjaiao4XghZhPwQ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
    "C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Roaming\CrModMngr.exe
      "C:\Users\Admin\AppData\Roaming\CrModMngr.exe"
      2⤵
      • Executes dropped EXE
      PID:2324
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\doc13454.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    c883f5cc4bbbe4a2224e7a044d841fe0

    SHA1

    1b595dddad40e7978516f7b346baaf106460f868

    SHA256

    7ca096dca61df90a002a9a59fa3c369362c8c58d45facd8f5a6f3df949863dd1

    SHA512

    46087bd9003fcd55282b856d287c263ead10bcf6bb3854c583b44fac0f54f3da557577879140fa12631bdbe72859f629afcb8c3b04ffaedd3f8681ffe04b1b0b

  • C:\Users\Admin\AppData\Roaming\CrModMngr.exe

    Filesize

    1.1MB

    MD5

    f7f6937a9072aa2976e7bb39b08c510a

    SHA1

    79016574086491fbd4b05139f8abbc8cc4b085c5

    SHA256

    de1649e56593a2afb34c45ac9c18bc4d528df8d2d6795454dbc95e6e0f689144

    SHA512

    89f192fa07e573200ed8a3c6c2990e2487fe33e119e3a137f2d241b754ecd338e3d59cf1cb8c7d37b7077a8bb36952209b56a90e77be6cc927687d2e157c963b

  • C:\Users\Admin\AppData\Roaming\doc13454.pdf

    Filesize

    45KB

    MD5

    78a4cb6670178725b4c5c226a2f7202d

    SHA1

    cc79240cdaf864f64caec599f72244c307957dfa

    SHA256

    94696530bb898d9e0990eb837e3e4809c57e170e5973d1d2889b7ef9283c2ffb

    SHA512

    6b2c35d7caffb6a2c20ce9fe863c07029498dd9c1cfbe4556266449490b669242008ec274e24de397b5488e4c51e7c369e70aecdf1df268cabcd0cc7c5ab7028

  • memory/2324-11-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2324-12-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2324-32-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-0-0x00000000748A1000-0x00000000748A2000-memory.dmp

    Filesize

    4KB

  • memory/2360-1-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-2-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-13-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB