Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 00:19
Static task
static1
Behavioral task
behavioral1
Sample
2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
Resource
win10v2004-20240508-en
General
-
Target
2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
-
Size
1.6MB
-
MD5
c199e8c1d6d78839bbe8c246fe1189fa
-
SHA1
2751846150be33e07814bffbb93f17cd75976067
-
SHA256
c98348acfaf93dc66a8b44cd00303670222fcdf59ad3eb1d3ab5ad1d3b1ef92a
-
SHA512
67ee203a202e1db3068a22839cf7f8ff1c932fb706a9baae6ce252d10fbe0e600647703ccbfe25b08710b14c96203f2d52f57e2310926ca96b8ef31fbbd307e9
-
SSDEEP
24576:CoI3PGDYjSaOdiSFQY8ncjr5yKg7VwmhXtqh2wQK:+pjaiao4XghZhPwQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2324 CrModMngr.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrModMngr = "C:\\Users\\Admin\\AppData\\Roaming\\CrModMngr.exe" 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2628 AcroRd32.exe 2628 AcroRd32.exe 2628 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2324 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 28 PID 2360 wrote to memory of 2324 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 28 PID 2360 wrote to memory of 2324 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 28 PID 2360 wrote to memory of 2324 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 28 PID 2360 wrote to memory of 2628 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 29 PID 2360 wrote to memory of 2628 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 29 PID 2360 wrote to memory of 2628 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 29 PID 2360 wrote to memory of 2628 2360 2343220820185117653724284721341YRWYRRRET56556U P1DF.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe"C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\CrModMngr.exe"C:\Users\Admin\AppData\Roaming\CrModMngr.exe"2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\doc13454.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c883f5cc4bbbe4a2224e7a044d841fe0
SHA11b595dddad40e7978516f7b346baaf106460f868
SHA2567ca096dca61df90a002a9a59fa3c369362c8c58d45facd8f5a6f3df949863dd1
SHA51246087bd9003fcd55282b856d287c263ead10bcf6bb3854c583b44fac0f54f3da557577879140fa12631bdbe72859f629afcb8c3b04ffaedd3f8681ffe04b1b0b
-
Filesize
1.1MB
MD5f7f6937a9072aa2976e7bb39b08c510a
SHA179016574086491fbd4b05139f8abbc8cc4b085c5
SHA256de1649e56593a2afb34c45ac9c18bc4d528df8d2d6795454dbc95e6e0f689144
SHA51289f192fa07e573200ed8a3c6c2990e2487fe33e119e3a137f2d241b754ecd338e3d59cf1cb8c7d37b7077a8bb36952209b56a90e77be6cc927687d2e157c963b
-
Filesize
45KB
MD578a4cb6670178725b4c5c226a2f7202d
SHA1cc79240cdaf864f64caec599f72244c307957dfa
SHA25694696530bb898d9e0990eb837e3e4809c57e170e5973d1d2889b7ef9283c2ffb
SHA5126b2c35d7caffb6a2c20ce9fe863c07029498dd9c1cfbe4556266449490b669242008ec274e24de397b5488e4c51e7c369e70aecdf1df268cabcd0cc7c5ab7028