Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

4

Static

static

3

Loader.exe

windows7-x64

4

Loader.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    48KB

  • MD5

    3668e97d95b35672e4a8eb7cb1da1cf5

  • SHA1

    2dc3e500ac21d9c07af38e5f70f83ec7bc30bace

  • SHA256

    dc06db1dc05fad16aa820074f03db3cf2cea5f5b9e5ff9136f5cad896ccf0ab8

  • SHA512

    61952fedcec08d8d940899381bef50a0e82cb86f226a4d207eccaa0958da6f71f517fb5ba2e704dfce320812bf1ba7e03fa934fb860cd57d69f43cc625195507

  • SSDEEP

    768:zt5DuFP8FFIHGD+pqSh151a0SszvW4loC8DcztQcCZzt236dCuOMc:7DSPja+gS91aMzdxztQlZztPdCuRc

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1420
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2324
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2324-1-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-3-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-2-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-8-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-13-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-12-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-11-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-10-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-9-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-7-0x00000217F6AF0000-0x00000217F6AF1000-memory.dmp

      Filesize

      4KB

      Download