Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 15:57

General

  • Target

    virussign.com_6dba1b11bb66d156b1af3c0a5d645a00.exe

  • Size

    579KB

  • MD5

    6dba1b11bb66d156b1af3c0a5d645a00

  • SHA1

    5ae2d1cd30f31b608d5400b74770b5a57be68941

  • SHA256

    c61214941383f26350a38acb13572d054087927943f4ad5befd15d5848f5981b

  • SHA512

    df374d5195efc1152465f110509b2f9d1ab22d84477e476b003436aadd4b79c1fe23d3d8c1e0089c2a9f1523df6f536aaff5a1ff8e2beca452d16e117e8c56e5

  • SSDEEP

    12288:7tKe6Zv23YLVFhBsC8iFHSs7xPY1f6HriPwU8mNCZA9M:v6Zv2ivhBVnFys7xP86LkRCmM

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\virussign.com_6dba1b11bb66d156b1af3c0a5d645a00.exe
    "C:\Users\Admin\AppData\Local\Temp\virussign.com_6dba1b11bb66d156b1af3c0a5d645a00.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe

    Filesize

    581KB

    MD5

    24d2b3c137e0341aa65e513a67a440d0

    SHA1

    60399a3ddab8f76453195ca8775fee3f40660225

    SHA256

    5b73e70cf8a2b0199ad919b99a6625426521e24c270f097e1ecd1d947c3dc247

    SHA512

    4117db3c69db134eab3cde11ddaa4180c6c7bca7c37db1d0fdd29fe6d240183bc13a13f80f3906e4fa15475366c4d1fca5f02bd336121162dfc28d6bbe7af20a

  • C:\Windows\spoolsv.exe

    Filesize

    583KB

    MD5

    084c3e56469f34b633bded8843b2f3e5

    SHA1

    745465095fe77000abd66068c03b23f995b94337

    SHA256

    b2fb8d6370d221e3325049c8adaa35bb7c1fe3a2b7744f18d07b67946fbba5fe

    SHA512

    786961b59b9d9787a526ef24940602a24af400c89509d9a5d29e56976905556c785396bcbd7acc08456935459a419c97d4fd46051fbf034a3e38fec67e8423bd

  • memory/2348-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2388-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2388-10-0x0000000000220000-0x0000000000259000-memory.dmp

    Filesize

    228KB

  • memory/2388-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB