Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 03:25

General

  • Target

    48cefb137b69e2e659e2226a7bd5d9c0N.exe

  • Size

    644KB

  • MD5

    48cefb137b69e2e659e2226a7bd5d9c0

  • SHA1

    a8b27f07c7b4a333fcaf75f937286cc764955509

  • SHA256

    5cf6a4ba6364654169540fc204e7f68d53aa74b61c73577213de556815f045c4

  • SHA512

    59f8c39a1b170aa7cde59d8f73c20f68022d35a0604c2d25279a9ab2eb500776c79de52ec85b9e3a7e44534e845cb9413668a6e00413808765062e4f1f1eb1b8

  • SSDEEP

    12288:7tKe6Zv23YLVFhBsC8iFHSs7xPY1f6HriPwU8mNCZQUEsUB:v6Zv2ivhBVnFys7xP86LkRCkB

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48cefb137b69e2e659e2226a7bd5d9c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\48cefb137b69e2e659e2226a7bd5d9c0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe

    Filesize

    644KB

    MD5

    842bbbf6e985b83b6516881aff10a828

    SHA1

    f30d8f09a875fa247847c3a2a8763d773f310e0e

    SHA256

    69930ac5a67a2b8ca0b0f46fd92ea19f9cb580cb343dcb7a50cec3dc2c63bd46

    SHA512

    6896a9f9bc84f500abc7be6143ea2ff59b816f011df79c071729b1976cd0acc3f81c4976ffea219d4777c4f5cad6aafd4519f2df1867428406c4ef0662d566ae

  • C:\Windows\spoolsv.exe

    Filesize

    647KB

    MD5

    3c3b278950b89a43c37b87073c7fa879

    SHA1

    b5e49f6144e25c393b5f0fe39292692a3c188e23

    SHA256

    9fdc3602908a64c850826dc24d695b119921f620e55a1413d57b28bbe562f668

    SHA512

    0a7ca97de4dffa24ec7e506d8bfcff0d3a6745359434ab8e45cb35ead347eeccdd5b3ea2d008a94ba355b0cadacfb1e2bcef9bb86b32fb6ba466835533f50506

  • memory/352-15-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/352-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1596-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1596-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB