Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 22:29

General

  • Target

    cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe

  • Size

    75KB

  • MD5

    12460fe4258ab1ba4c2b77cb943eacd8

  • SHA1

    0d40cc2d28bd0febf065d10e3a6646cbefb05c9c

  • SHA256

    cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb

  • SHA512

    603476131ce5422488ebf4d588219dd5a22efcd18d20b66bf676caf8a6d36fbbdbc0c47e42d57b345c65d56aafe50f0b999707b6784a4e5bf8aa2907a3de2c5c

  • SSDEEP

    1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOvAI:GhfxHNIreQm+HiUAI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe
    "C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe

    Filesize

    75KB

    MD5

    95df74fea81a1875d23857a22ae315ef

    SHA1

    f716e76af67d975f7e3b9ab36dfccf2088fbc8f0

    SHA256

    d117ff6080e2ee4744338f87c50c544bab1070fd9a6ff12911a7de62fce59261

    SHA512

    4209449a0d6f7f0890c8bd7cad2cc86ac3e0b712e81eb0175046d2c455140b567e58af971072baf03ce814ce36df8eeedb4c65485429e39a729cc48ec29659fa

  • \Windows\system\rundll32.exe

    Filesize

    78KB

    MD5

    6d46910a5f393a0549de8022e0739c3a

    SHA1

    36a16cb60a512008c0637bd7c1f0bc7542bd254f

    SHA256

    92e10836feb92a6bacd12263e1dc3c3c171a1152a8efdbd692b781d518c4cbda

    SHA512

    62fc8aa7dddd8cdd50bd13350710c7858455e9e9cee881f094d2f0cb04dc7eefa76d11fd609b44056b66d42258e33a7300205cdfe6bbd9ee60c1b071c3569a9e

  • memory/1640-0-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

  • memory/1640-18-0x0000000000280000-0x0000000000296000-memory.dmp

    Filesize

    88KB

  • memory/1640-17-0x0000000000280000-0x0000000000296000-memory.dmp

    Filesize

    88KB

  • memory/1640-21-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

  • memory/2456-20-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB