Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

28/05/2024, 11:02

240528-m5c1wagd7x 10

06/05/2024, 13:53

240506-q6ywhsde4z 3

Analysis

  • max time kernel
    537s
  • max time network
    492s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 11:02

General

  • Target

    ah.zip

  • Size

    7.0MB

  • MD5

    777c025958c2dd332ae1163092305f54

  • SHA1

    ec016614bbbe6e88dc4e58e26a9d88bf4d1a3a64

  • SHA256

    36a00c545e5fdbd5712eb468099a211dccf17812a0cb08efde9d3ddce7181c5e

  • SHA512

    7ab95cde168fa9e866d7841729cfd4a51b3b1406cf1c808271297f7875309541fec7e0d5d7f7e0a76c7b5e0ce5e795321dfcb729208283ecd311dc0563bb920f

  • SSDEEP

    196608:Z8oDmWKq7cLCueSB4lE71V/YxQtw44B2yZIgrgI:6n+SWW2Otw4hyuWH

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ah.zip
    1⤵
      PID:1736
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:112
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2f0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Users\Admin\Documents\ah\client32.exe
        "C:\Users\Admin\Documents\ah\client32.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2976
      • C:\Users\Admin\Documents\ah\client32.exe
        "C:\Users\Admin\Documents\ah\client32.exe"
        1⤵
          PID:1052
        • C:\Users\Admin\Documents\ah\client32.exe
          "C:\Users\Admin\Documents\ah\client32.exe"
          1⤵
            PID:1672
          • C:\Users\Admin\Documents\ah\ForceCPU.exe
            "C:\Users\Admin\Documents\ah\ForceCPU.exe"
            1⤵
              PID:1328
            • C:\Users\Admin\Documents\ah\client32.exe
              "C:\Users\Admin\Documents\ah\client32.exe"
              1⤵
                PID:1796
              • C:\Users\Admin\Documents\ah\client32.exe
                "C:\Users\Admin\Documents\ah\client32.exe"
                1⤵
                  PID:2404
                • C:\Users\Admin\Documents\ah\client32.exe
                  "C:\Users\Admin\Documents\ah\client32.exe"
                  1⤵
                    PID:2612
                  • C:\Users\Admin\Documents\ah\client32.exe
                    "C:\Users\Admin\Documents\ah\client32.exe"
                    1⤵
                      PID:2812
                    • C:\Users\Admin\Documents\ah\client32.exe
                      "C:\Users\Admin\Documents\ah\client32.exe"
                      1⤵
                        PID:1820
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ah\concrt140.dll
                        1⤵
                          PID:2564
                        • C:\Users\Admin\Documents\ah\ForceCPU.exe
                          "C:\Users\Admin\Documents\ah\ForceCPU.exe"
                          1⤵
                            PID:1324
                          • C:\Users\Admin\Documents\ah\ForceCPU.exe
                            "C:\Users\Admin\Documents\ah\ForceCPU.exe"
                            1⤵
                              PID:2080
                            • C:\Windows\system32\cmd.exe
                              "cmd.exe" /s /k pushd "C:\Users\Admin\Documents\ah"
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2892
                              • C:\Users\Admin\Documents\ah\ForceCPU.exe
                                ForceCPU.exe
                                2⤵
                                  PID:532
                              • C:\Windows\system32\cmd.exe
                                "cmd.exe" /s /k pushd "C:\Users\Admin\Documents\ah"
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:264
                                • C:\Users\Admin\Documents\ah\client32.exe
                                  client32.exe
                                  2⤵
                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                  PID:1184
                              • C:\Windows\system32\taskmgr.exe
                                "C:\Windows\system32\taskmgr.exe" /4
                                1⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:1636

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1324-2-0x00000000003D0000-0x00000000003D8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1328-1-0x00000000011B0000-0x00000000011B8000-memory.dmp

                                Filesize

                                32KB

                              • memory/1636-4-0x0000000140000000-0x00000001405E8000-memory.dmp

                                Filesize

                                5.9MB

                              • memory/1636-5-0x0000000140000000-0x00000001405E8000-memory.dmp

                                Filesize

                                5.9MB

                              • memory/1636-6-0x0000000140000000-0x00000001405E8000-memory.dmp

                                Filesize

                                5.9MB

                              • memory/2080-3-0x0000000001260000-0x0000000001268000-memory.dmp

                                Filesize

                                32KB