Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    89s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20240508-es
  • resource tags

    arch:x64arch:x86image:win7-20240508-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    30/05/2024, 18:14

General

  • Target

    NFS_Server_1.0.6.0_Portable.zip

  • Size

    5.3MB

  • MD5

    a8b2a08cc524c1f5cb1fc3cb53a0aba1

  • SHA1

    298b8d12174c994484f2f3464f70509ca8ee290c

  • SHA256

    2ba69732dfa911a7d8fc8ab7874730e04621cc7832cf9a87c647d829c67d341d

  • SHA512

    5197fc288e80eef04b2773a1c65dfe3fdffe8d8178b4dedf5cfcbdba21594b8053bf88aefa42a93365d9edbe8c6f5f5dbc2050509e3afb1f15ea7fdb45387ccc

  • SSDEEP

    98304:7VMcD/9U+BjRDyMX48cNJppw8kDSQ2l0r5rZvaMBLTf9P3aF1Y0kQp+6ISS4:RGWBy048cNJpbkrb1ZiqvVPkY0kQvISp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NFS_Server_1.0.6.0_Portable.zip
    1⤵
      PID:2944
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1360
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap9810:112:7zEvent4082
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1256
      • C:\Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\NFS_Server.exe
        "C:\Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\NFS_Server.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1740
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
          PID:2184

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\NFS_Server.exe

          Filesize

          273KB

          MD5

          f580026703be66871aef5e5a6335a04b

          SHA1

          34798ca976e681dfeb000273b10db275cc67933f

          SHA256

          1da42f00b05843129e3968db446cd0de08309f9dce7df657895c5e9cbead098a

          SHA512

          b44572481ef6352efd482167dd2eb8f8474ce589bb4e975ff74b322cca331823b8e4faeae4c8b66016b0280f562fa55a99404f27b47f0dac6fd37ca68d0910d4

        • C:\Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\QtGui4.dll

          Filesize

          8.0MB

          MD5

          b98c7c7cf3b2a4eca752fe4d5d842757

          SHA1

          589042a5e3f2c21cd04ab9b7223dd100e8ed7d7f

          SHA256

          bf573b3236ccafd6e3c16a19d94b11a96a4bea3d32fb09aa953aa8f4fcf8ecda

          SHA512

          9abb6f6a330b29bda651502a468e97b24d0c8c366e8464e2f5673cd02ae7f1bee4088a98a9da26da761897641c1819663dc15ab30b8fd95cde4ddb3cff54f235

        • \Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\QtCore4.dll

          Filesize

          2.4MB

          MD5

          efc27445e76973818e43c4713ae834ad

          SHA1

          0a7c125cd83e1947571296f58eb092b4e95dbcd1

          SHA256

          6ab1764db00bbda37783e9ffcb9b039b0c67be3a382661c9e9fa33dfd27e3afa

          SHA512

          27b82482b5a21eddd6382e99ee062196924978f7092cab5b19f952fd30810e2f3da38ea251ca345c4f99a469603478711c5a410572d523139b3fa17fd7e8bad1

        • \Users\Admin\Desktop\NFS_Server_1.0.6.0_Portable\QtNetwork4.dll

          Filesize

          1000KB

          MD5

          e78550025f86fda02e9f79b24c41dc2b

          SHA1

          5b0b36e73f3105842c732636246dc1032fc0e4a4

          SHA256

          7039486014e11251dfa83096cd40c6fbb8b8319bc094aef849a872d9b974f64c

          SHA512

          74089228480550eb386b2d7e2824daa54e9fbe5e89a7df02e27e8c487e511c3d38612049648815d14a33e2d4995327e201f48e8ddab23c80603c49211415b3a5

        • memory/1740-23-0x0000000004980000-0x0000000004982000-memory.dmp

          Filesize

          8KB