Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.2MB

  • MD5

    deafbdc620c448f30ed765cea21bd8d4

  • SHA1

    4e4d5221e80640d29976cc0660067d884574ea2a

  • SHA256

    d8558fe78f5016bde05a841d05d094bc7fe040b36f6d195ae33ece9fa4b0f9e6

  • SHA512

    58794328ee3e4e8732dd1ec36a7178455bff1bae8431d6394e389a15cd5b8ce55e1709308f8b7861f38bb31a30a4017d71fd0a214084fb07bfcf723c5fd55c07

  • SSDEEP

    24576:FTAPa5NuIM072aCVm4Yzs4M9SP8/Ec+CsrL5WyI2YsAeG:FT9eITD6m4Z4MAEaWAr

Score
10/10
execution

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\system32\cmd.exe
          cmd /C powershell -Command "Get-Process -Name 'explorer' | Select-Object -ExpandProperty Id"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Get-Process -Name 'explorer' | Select-Object -ExpandProperty Id"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
        • C:\Windows\system32\cmd.exe
          cmd /C ping 1.1.1.1 -n 1 -w 2997 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\file.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\system32\PING.EXE
            ping 1.1.1.1 -n 1 -w 2997
            4⤵
            • Runs ping.exe
            PID:2924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\hrZHd.tmp
      Filesize

      1.7MB

      MD5

      3556d5a8bf2cc508bdab51dec38d7c61

      SHA1

      92015f7bbdb9dad35e41c533d2c5b85f1cd63d85

      SHA256

      91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50

      SHA512

      c2797ad0e21cde5267e1db0862a7e99c8c025b29fc33462851116f83887d7ca1a35859fb43f141c7af46a6e2aede9199e6f386f13b0569fcd6b036c2f84b0e20

      Download Submit

    • memory/2668-18-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2668-16-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-26-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-22-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-21-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2668-20-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-25-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-19-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-17-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2820-9-0x0000000077481000-0x0000000077582000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2820-10-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2820-24-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2820-23-0x0000000077481000-0x0000000077582000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2820-11-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2820-27-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2820-28-0x0000000077480000-0x0000000077629000-memory.dmp

      Filesize

      1.7MB

      Download