Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 17:59
Static task
static1
Behavioral task
behavioral1
Sample
WolframAV.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WolframAV.exe
Resource
win10v2004-20240226-en
General
-
Target
WolframAV.exe
-
Size
2.6MB
-
MD5
ba371189ab70090c298d92d502e130e5
-
SHA1
28b6c0172da07a81ab58f5e71654b047914f3f89
-
SHA256
b9afb9c819302396858d2966371d904d9dd8661da835fd0ccc74758aae84e519
-
SHA512
a8d8b26afe4b1846b96d264a4d97d364a77adc698a4c14b26014742f59e611defb54f90a4c185004ac05d02e3e51de3b35e48853b6ef5c205b55d112f5260ace
-
SSDEEP
49152:PmolhL7w73ArxJ5+loYuQhxzjFFv8yL1ObXKv624vPQWz/mMOr5Cw9/mx:PThfw7QrxJ5SoYJhxz/rGXk6pB/m1VCF
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe Wolfram Antivirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe Wolfram Antivirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe csrss.exe -
Executes dropped EXE 6 IoCs
pid Process 3048 Wolfram Antivirus.exe 2592 csrss.exe 2612 csrss.exe 2516 csrss.exe 2424 csrss.exe 2672 csrss.exe -
Loads dropped DLL 9 IoCs
pid Process 332 WolframAV.exe 332 WolframAV.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 2612 csrss.exe 2612 csrss.exe 2424 csrss.exe -
resource yara_rule behavioral1/memory/332-1-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/332-3-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/332-12-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/3048-15-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/3048-28-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/3048-70-0x0000000000400000-0x0000000000CE9000-memory.dmp upx behavioral1/memory/3048-93-0x0000000000400000-0x0000000000CE9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 332 WolframAV.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe 3048 Wolfram Antivirus.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 332 wrote to memory of 3048 332 WolframAV.exe 28 PID 332 wrote to memory of 3048 332 WolframAV.exe 28 PID 332 wrote to memory of 3048 332 WolframAV.exe 28 PID 332 wrote to memory of 3048 332 WolframAV.exe 28 PID 3048 wrote to memory of 2592 3048 Wolfram Antivirus.exe 29 PID 3048 wrote to memory of 2592 3048 Wolfram Antivirus.exe 29 PID 3048 wrote to memory of 2592 3048 Wolfram Antivirus.exe 29 PID 3048 wrote to memory of 2592 3048 Wolfram Antivirus.exe 29 PID 2592 wrote to memory of 2612 2592 csrss.exe 30 PID 2592 wrote to memory of 2612 2592 csrss.exe 30 PID 2592 wrote to memory of 2612 2592 csrss.exe 30 PID 2592 wrote to memory of 2612 2592 csrss.exe 30 PID 2612 wrote to memory of 2516 2612 csrss.exe 31 PID 2612 wrote to memory of 2516 2612 csrss.exe 31 PID 2612 wrote to memory of 2516 2612 csrss.exe 31 PID 2612 wrote to memory of 2516 2612 csrss.exe 31 PID 2516 wrote to memory of 2424 2516 csrss.exe 33 PID 2516 wrote to memory of 2424 2516 csrss.exe 33 PID 2516 wrote to memory of 2424 2516 csrss.exe 33 PID 2516 wrote to memory of 2424 2516 csrss.exe 33 PID 2424 wrote to memory of 2672 2424 csrss.exe 34 PID 2424 wrote to memory of 2672 2424 csrss.exe 34 PID 2424 wrote to memory of 2672 2424 csrss.exe 34 PID 2424 wrote to memory of 2672 2424 csrss.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\WolframAV.exe"C:\Users\Admin\AppData\Local\Temp\WolframAV.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\Wolfram Antivirus.exe"C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\Wolfram Antivirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exea execC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exea execC:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"7⤵
- Executes dropped EXE
PID:2672
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5756a066bf0e8727906bfd186206c7c03
SHA17963fdaed6722a2dc39592c90ce7d383b2bc0382
SHA25649e6d55da821572afbb0342716840d069f210e0a73a38e9dc9026a1b633f1c7d
SHA51274660bb8ed05238fcc884febd8405b69640d375003b24beba8db5b4c25c05efebbad47a76f8fd4ca30f39da0d5f65b4a8cc4f663117e524bba4728692442cb3f
-
Filesize
222KB
MD508bd665ba70ed5c9df9ca94b52f283ac
SHA1dc7fd2f628a388943677328fa62c430df12bfd4a
SHA256e405a76f5599eff5049a7360684ea87e69e67794b95370d17a35e31cefdaec84
SHA5121394475d6a92e090dae49a966ce48f20f928ea953b1c3f22e3613bd11dfd3e43181cb5f429b5b370d8b45909857e030108d522b470915a03f3cbdbf4cbbbb53c
-
Filesize
300B
MD5a167ced21eb752e50a6bf89a363ad184
SHA1921c478cbeb2a8d51355f81e2497b758999a4cbd
SHA256be73d200d75ac45707c9d158449154fdb845f6ac60711db61abe26c53dc1467e
SHA51238b0c64b342f718a4c7daf31e84c35affee19951dba267fff4cfad067e24da517b98f106fe5559021052d25d7fd2f8d8ee0bc5aa91cde5d1b8f61f304cf669c2
-
Filesize
901B
MD5d51d70611f30b71d189b019c365f849d
SHA1e0dea96f35203562f857a5eff84b412dd5d24794
SHA256013464e0971ed6cc613a18758c869f65b6281bd94adc860a0869d1980848627f
SHA5123aaa30873d803721bc963289bb8facb96bf6ed6547205595492f446726892459874280a6ee4343de6e02334d4edddb180cc0ee6bbbc44b596a007af4530066e1
-
Filesize
2.6MB
MD5ba371189ab70090c298d92d502e130e5
SHA128b6c0172da07a81ab58f5e71654b047914f3f89
SHA256b9afb9c819302396858d2966371d904d9dd8661da835fd0ccc74758aae84e519
SHA512a8d8b26afe4b1846b96d264a4d97d364a77adc698a4c14b26014742f59e611defb54f90a4c185004ac05d02e3e51de3b35e48853b6ef5c205b55d112f5260ace