Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 03:16

General

  • Target

    473af2b09ea68fa56f19f779a55e2d60N.exe

  • Size

    328KB

  • MD5

    473af2b09ea68fa56f19f779a55e2d60

  • SHA1

    c9a1250443b5fe9d8cc505e7bc975c9c1b565f97

  • SHA256

    7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530

  • SHA512

    a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4

  • SSDEEP

    6144:J2XgY8FFX7Z6A/P352p4gFs/e8PeAZuon2T5T7UcIGMAQTeJ:J2X1cFx/PAp4ks/e6Fn2dEZGjQSJ

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe
    "C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe
      "C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMWNI.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1464
      • C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
          "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1456
        • C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
          "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • Modifies registry key
              PID:2520
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
            5⤵
              PID:2812
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
                6⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:2556
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2776
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                6⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:2524
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1084
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
                6⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:2140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\YMWNI.bat

      Filesize

      154B

      MD5

      0d0a854e96bddf0e7df7f5f024674226

      SHA1

      f45ca9c7f935422ddfb0550febdfc7a09baf2d98

      SHA256

      5bab0b5c3ef8a28a7246854074a5a469c602a10ac803d18f2102399597d35907

      SHA512

      8b6db387b3bb5774c691bcdd4d9f3a147e1556eee89fe1de929464510c01b14495157c14cbb355fc850b79dee500b8be7ae7a0c3b5ea0916d6eb9154f9ae73a8

    • \Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe

      Filesize

      328KB

      MD5

      473af2b09ea68fa56f19f779a55e2d60

      SHA1

      c9a1250443b5fe9d8cc505e7bc975c9c1b565f97

      SHA256

      7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530

      SHA512

      a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4

    • \Users\Admin\AppData\Roaming\Adobe\conhost.exe

      Filesize

      328KB

      MD5

      37ed5d5ba72458e5e07eccc17d86ff2f

      SHA1

      c44ec90c20f3908c20aa51e822462d0a760673a2

      SHA256

      d312dbf58cbc8be5178590a88855fc7c5585a2b44358ba026ae289ddcc4bfa84

      SHA512

      5265e40b2cc84a33876817a325424711ffd78b41b40e63e4d3f655d051f06acf40b8b38db9e2aaf3b3cf356f9694f015170d7aacf97c4c9cfc24fa543f186e19

    • memory/1456-1054-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1768-460-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1768-466-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1768-508-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1768-1068-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2476-2-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2476-105-0x0000000000480000-0x0000000000481000-memory.dmp

      Filesize

      4KB

    • memory/2740-1065-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB