Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 12:26
Behavioral task
behavioral1
Sample
623daaca6c7b1589d304f6d850c25480N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
623daaca6c7b1589d304f6d850c25480N.exe
Resource
win10v2004-20240709-en
General
-
Target
623daaca6c7b1589d304f6d850c25480N.exe
-
Size
12KB
-
MD5
623daaca6c7b1589d304f6d850c25480
-
SHA1
46127fb6bea8f97484d95d68b0ca3af95be2acfe
-
SHA256
d517ab4c7d58147fcfb815b98a51a5c4036db312ab370cb5ccbf39bbf3b63736
-
SHA512
f2d654697f291260a37a9796ee9e8787072715f09ec9a5d62cdd8094880c23d6f795898d59e0de4427e276d3d84e8edeb3faea162359777aba49f9ae63146c4d
-
SSDEEP
192:zjUWFh4fvYGIQnsA6psQt8FaNJhLkwcud2DH9VwGfctu55EJN:vKE7p3oaNJawcudoD7US5EJN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2472 WAMain.exe -
Loads dropped DLL 5 IoCs
pid Process 2540 623daaca6c7b1589d304f6d850c25480N.exe 2540 623daaca6c7b1589d304f6d850c25480N.exe 2540 623daaca6c7b1589d304f6d850c25480N.exe 2540 623daaca6c7b1589d304f6d850c25480N.exe 2540 623daaca6c7b1589d304f6d850c25480N.exe -
resource yara_rule behavioral1/memory/2540-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0035000000015d88-25.dat upx behavioral1/memory/2472-45-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2540-40-0x0000000001D10000-0x0000000001D1B000-memory.dmp upx behavioral1/memory/2540-48-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2472-49-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe Token: SeDebugPrivilege 2472 WAMain.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2540 623daaca6c7b1589d304f6d850c25480N.exe 2472 WAMain.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2516 2540 623daaca6c7b1589d304f6d850c25480N.exe 29 PID 2540 wrote to memory of 2516 2540 623daaca6c7b1589d304f6d850c25480N.exe 29 PID 2540 wrote to memory of 2516 2540 623daaca6c7b1589d304f6d850c25480N.exe 29 PID 2540 wrote to memory of 2516 2540 623daaca6c7b1589d304f6d850c25480N.exe 29 PID 2516 wrote to memory of 1424 2516 cmd.exe 31 PID 2516 wrote to memory of 1424 2516 cmd.exe 31 PID 2516 wrote to memory of 1424 2516 cmd.exe 31 PID 2516 wrote to memory of 1424 2516 cmd.exe 31 PID 2540 wrote to memory of 2472 2540 623daaca6c7b1589d304f6d850c25480N.exe 32 PID 2540 wrote to memory of 2472 2540 623daaca6c7b1589d304f6d850c25480N.exe 32 PID 2540 wrote to memory of 2472 2540 623daaca6c7b1589d304f6d850c25480N.exe 32 PID 2540 wrote to memory of 2472 2540 623daaca6c7b1589d304f6d850c25480N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\623daaca6c7b1589d304f6d850c25480N.exe"C:\Users\Admin\AppData\Local\Temp\623daaca6c7b1589d304f6d850c25480N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OTPDQ.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f3⤵
- Adds Run key to start application
PID:1424
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
12KB
MD5a48faefb41595150c07faf23cce5f3b7
SHA1798c49c7be935da85ac19564d081d92ea652a047
SHA256ff6b2c4182b11ce4602165ba0a9487b8f073dab33cd367c987318791f929fb1c
SHA512f36c9c8770e326e3dd7d9468051ed3c9acd72a92de12a18b9ce33dc983524e6347291c0a1a7ac1ec05358b0dc0d33d03b1803f8dee3422b5430329bb21beac6f