Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

MENU.bat

windows7-x64

7

MENU.bat

windows10-2004-x64

7

Work/RegToScript.exe

windows7-x64

1

Work/RegToScript.exe

windows10-2004-x64

1

Work/RestExplorer.exe

windows7-x64

8

Work/RestExplorer.exe

windows10-2004-x64

8

Work/SoundChanger.exe

windows7-x64

7

Work/SoundChanger.exe

windows10-2004-x64

7

Work/TrInstaller.exe

windows7-x64

1

Work/TrInstaller.exe

windows10-2004-x64

1

Work/cecho.exe

windows7-x64

7

Work/cecho.exe

windows10-2004-x64

7

Work/explorer.exe.dll

windows10-2004-x64

1

Work/nircmd.exe

windows7-x64

1

Work/nircmd.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Work/SoundChanger.exe

  • Size

    226KB

  • MD5

    85c6cb4b878b49c4f73abd6316b58230

  • SHA1

    2a3e616b036819035bbfe4e0a2dc49c82449a314

  • SHA256

    7987fd74868b355632df577b9d18d449f696b2a96ea7633cae35cd07c600a588

  • SHA512

    fc269c2f16b0adcdbcf5d5b2ac55ba079d46b6801508d5db82a7adf5085b9e11024dfe745d416c7fc5e09b05d057cdae8589891965b6534bcd07f8ecc8dfc606

  • SSDEEP

    6144:nt5hBPi0BW69hd1MMdxPe9N9uA069TBnFuCndEJA:ntzww69T9FTWq

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe
    "C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\25C9.tmp\25CA.tmp\25CB.bat C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\system32\reg.exe
        reg query "HKCU\Software\SoundChanger"
        3⤵
          PID:1920
        • C:\Windows\system32\reg.exe
          reg add "HKCU\Software\SoundChanger" /f
          3⤵
            PID:3044
          • C:\Users\Admin\AppData\Local\Temp\25C9.tmp\DefSound.exe
            DefSound.exe 0
            3⤵
            • Executes dropped EXE
            PID:1976
          • C:\Windows\system32\taskkill.exe
            taskkill /im DefSound.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2736

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\25C9.tmp\25CA.tmp\25CB.bat
        Filesize

        371B

        MD5

        a347d822d94cb1ab02de9a18bce454f8

        SHA1

        d78a58b12d9a5cfa917f3a7857dc475c86861b7b

        SHA256

        537aa5762ac11b2b87f4c9915129ce5e4328b634f4ae514d2c9ef341ce33bcab

        SHA512

        505dd206332434659b30a73627601dd04b2c0395dfb17fc6c1761dd55c9640d7b93efb3fbaf772803cc64fc5c4f9669d0357d927c3221750cc858e6647bb974b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\25C9.tmp\DefSound.exe
        Filesize

        118KB

        MD5

        c8d0c8f724c4fa3eae9c174651e7682f

        SHA1

        4161b4f8425e6da4f3e43fa8116946997472bb29

        SHA256

        fb2c560d1a1fb987d3b1bed958226d82279ff3ba5c2e0955269172ed2028abed

        SHA512

        45fcf40f295580bb32d946702dcd3edff4284b3877871f266844ae4c92d727751ec5395199f45b1795aa42c3f9d1bfa11bd60eb2ee4ecdb21fa524cec29f65ac

        Download Submit