Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 10:02

General

  • Target

    985d6ab0e9e57850cf7ed9f331ae36a0N.exe

  • Size

    539KB

  • MD5

    985d6ab0e9e57850cf7ed9f331ae36a0

  • SHA1

    9dcbb36de4f8a99a7ffca73240dedea6ee33fac9

  • SHA256

    612daa13770e7ca0f61b173c4a2c9790f7cd8b109bb886f80cb257dfce623451

  • SHA512

    803fe1087e1dae4aa4919f3cf7d8f14e69c2d8fb9210600f98151d3a6ccf866bcc459eb8d33ff8922dfa78ca63d89aaf0ca5c1bc23735b4fc518d61e6845e4a9

  • SSDEEP

    6144:NYkLWCTxDrF98Oh8P7AEL8IhoM8InI5SQ8R5NTope6S2DtL9xG9QTKhDxfWqr6z1:NYIW0p98Oh8P7h8EJQ8z8eDe9mJxfWZT

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\3F13.tmp
      "C:\Users\Admin\AppData\Local\Temp\3F13.tmp" --pingC:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe 292C500829E567148921DCD8ED229A58A4D022143EF8952DD3E34A5AD76F857E5E720AB75C9482A532903B915C4092EFDC8BA4778C4DE3680DAC21BDC83C5522
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx

    Filesize

    21KB

    MD5

    7079891932a64f097abafd233055a1e9

    SHA1

    246d95feafe67689d49a5a4cadba18d3ac1914e5

    SHA256

    c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

    SHA512

    6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

  • \Users\Admin\AppData\Local\Temp\3F13.tmp

    Filesize

    539KB

    MD5

    97f4047d20a637bc6be040b914050d94

    SHA1

    a962b5eb11280fb94f3c4c22f61682247247ab39

    SHA256

    58f60746d9a49b8591d9e7319a46c6116bf495a6de94390c673c6b8ae554c11e

    SHA512

    6e63834362da26d2773e46ed593d3ea8b5cc0bb97397bcc6bcb50be6d379e3b3774a786f75cf3bcbf3ff8fdf5061664c3c5ac21e45b493f0d1f954e1104cec2d

  • memory/2808-7-0x000000002F661000-0x000000002F662000-memory.dmp

    Filesize

    4KB

  • memory/2808-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2808-9-0x000000007106D000-0x0000000071078000-memory.dmp

    Filesize

    44KB

  • memory/2808-12-0x000000007106D000-0x0000000071078000-memory.dmp

    Filesize

    44KB