Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

norecoil.exe

windows11-21h2-x64

7

norecoil.pyc

windows11-21h2-x64

3

Analysis

  • max time kernel
    22s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/05/2024, 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    norecoil.exe

  • Size

    6.8MB

  • MD5

    6fedb90ea6cc2ccd139c8f31f43e64ca

  • SHA1

    0cb84e32fc2718f262c853d51c649baba9e835f1

  • SHA256

    35f799e9718dd86d3d5c84df2afe6a370812783c1a3c1914774d94461d4467c8

  • SHA512

    e75110def190616dba057aa75189ae68e2a682dfb9c9d2dc560ecd147ae0d17a2ec63a2ccb52c69286f2964af5a6103479bb2dc7743ecbd7fdc21faac3fcb438

  • SSDEEP

    196608:zqx78ICteEroXxxVfEqlbkkwR7VTEdbZ/FGa4PNo3hAUN:U8InEroXlfEqirRRodF/D4PNgV

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\norecoil.exe
    "C:\Users\Admin\AppData\Local\Temp\norecoil.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\norecoil.exe
      "C:\Users\Admin\AppData\Local\Temp\norecoil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "ver"
        3⤵
          PID:5072
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3152

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\VCRUNTIME140.dll
        Filesize

        94KB

        MD5

        11d9ac94e8cb17bd23dea89f8e757f18

        SHA1

        d4fb80a512486821ad320c4fd67abcae63005158

        SHA256

        e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

        SHA512

        aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ctypes.pyd
        Filesize

        123KB

        MD5

        7ab242d7c026dad5e5837b4579bd4eda

        SHA1

        b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

        SHA256

        1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

        SHA512

        1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\_queue.pyd
        Filesize

        28KB

        MD5

        e64538868d97697d62862b52df32d81b

        SHA1

        2279c5430032ad75338bab3aa28eb554ecd4cd45

        SHA256

        b0bd6330c525b4c64d036d29a3733582928e089d99909500e8564ae139459c5f

        SHA512

        8544f5df6d621a5ff2ca26da65b49f57e19c60b4177a678a00a5feb130bf0902f780b707845b5a4dd9f12ddb673b462f77190e71cbe358db385941f0f38e4996

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\_socket.pyd
        Filesize

        78KB

        MD5

        4b2f1faab9e55a65afa05f407c92cab4

        SHA1

        1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

        SHA256

        241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

        SHA512

        68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\base_library.zip
        Filesize

        764KB

        MD5

        935ecbb6c183daa81c0ac65c013afd67

        SHA1

        0d870c56a1a9be4ce0f2d07d5d4335e9239562d1

        SHA256

        7ae17d6eb5d9609dc8fc67088ab915097b4de375e286998166f931da5394d466

        SHA512

        a9aac82ab72c06cfff1f1e34bf0f13cbf0d7f0dc53027a9e984b551c602d58d785c374b02238e927e7b7d69c987b1e8ab34bfc734c773ef23d35b0bdb25e99cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\libffi-7.dll
        Filesize

        32KB

        MD5

        eef7981412be8ea459064d3090f4b3aa

        SHA1

        c60da4830ce27afc234b3c3014c583f7f0a5a925

        SHA256

        f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

        SHA512

        dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\python39.dll
        Filesize

        4.3MB

        MD5

        7e9d14aa762a46bb5ebac14fbaeaa238

        SHA1

        a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

        SHA256

        e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

        SHA512

        280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\pywintypes39.dll
        Filesize

        139KB

        MD5

        d658ffb571a541e9e21a6b859a67e112

        SHA1

        d9e7f54eb92ce32ff4d02fedd5c9b738dabbfbdb

        SHA256

        0cc26e2acaa1933647f885b47ac6da6625be7a4cd93fae220fb172906ff22091

        SHA512

        0040b19841d2d19ab5506cefc3186813cc92f57144b7b3f0bfec45638eebc053ddb8a40f2843cafe5d0ae5c6dc7f5db646a6441d34e02d749eb9563edbe5c7b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\select.pyd
        Filesize

        28KB

        MD5

        f8f5a047b98309d425fd06b3b41b16e4

        SHA1

        2a44819409199b47f11d5d022e6bb1d5d1e77aea

        SHA256

        5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

        SHA512

        f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\tinyaes.cp39-win_amd64.pyd
        Filesize

        39KB

        MD5

        99f8d7ca9459134310358112f6177ab9

        SHA1

        b42bfdae94268e6dd8abfafe488eb4d2576d1196

        SHA256

        3abaa10ad3549e23b25a3e61b119dadb6a5f8ba7618cd31587d06cc0be79ff6c

        SHA512

        6b0a1125e034b8c328dfccf58a87d81d1b3c00efb904a9a468b2635facfc14e22eff2f9940c96ba1f66948d72371a499df3352026f7740bc136dc693d19bde7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI50122\win32api.pyd
        Filesize

        131KB

        MD5

        8ccfec535f312418015bcd067fe32208

        SHA1

        79aa4bc6d681972afadfa4b2bae230ce06570a56

        SHA256

        9157829433f0bd8a12b1a1cf2fb90301e20ecf43802eb0ac85525ebcc53d0e30

        SHA512

        698b3a57338ffa47e2afecf9e8f8f709061e5cb56d82d8e10e48c6d4c8d26d2e0a21f2dcedc599a1b605ee2026dc2af7bd79d9f8b035c5c6fd9bd9fc817673b8

        Download Submit

      • memory/4024-47-0x00000263848E0000-0x00000263848E1000-memory.dmp

        Filesize

        4KB

        Download