Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 12:53

General

  • Target

    IMG88957937579577593957937593756295Jimpy.exe

  • Size

    445KB

  • MD5

    d3593f7e5a555a84fea5d70412463a0a

  • SHA1

    1614572890ef26f28f3b7c9f04ba7e6eb06587d9

  • SHA256

    53805ebc2b9eb59587ee7baeb45de6df203dbba25913de393026f4c14f0f5487

  • SHA512

    4fbeab30dbe08a82480d21ee69b8ee0e92656c96f30eec84b0967373bb22f86310dc61421c02cd10689485eaea3ddad5173e77b7b0be3ff4a6752fb407c605f8

  • SSDEEP

    6144:Cg1KQjoauKpc9yUm6WCWmr3lBQdbpBnHUqS6tJF4ZO7kLUaULIU+JB3zj9torp1s:YxMc9yUmHmrEdX0gtJFcopIFBjjc+

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG88957937579577593957937593756295Jimpy.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG88957937579577593957937593756295Jimpy.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Planta=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Atomraketter\Antihysteric.Ing';$Donnick=$Planta.SubString(58063,3);.$Donnick($Planta)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Atomraketter\Antihysteric.Ing

    Filesize

    56KB

    MD5

    05feec34f8951c4a66d9c1fc1815c309

    SHA1

    25cbe83a1a0dc2527b0f14828325d78283420147

    SHA256

    736c2ce0c3ec68af645c2e002900e1495685d43377cb8ef023d1d7d8b23fa0f4

    SHA512

    ec01cbcd363cdc64d37a4d9dc84341fe10e8c8084213244bb1c261521a63c5a10951e4fc06a32b31440016c8c9d9124854e73baf0c24f7c21e20ede9c82238df

  • C:\Users\Admin\AppData\Local\Temp\Atomraketter\Dirigentstokkene.Kar

    Filesize

    325KB

    MD5

    7c4da3249dd31bedbcd1882de8c9d5ac

    SHA1

    971dd3ca5eb74dbb9461f8d6ca1128033f7226da

    SHA256

    e31c7db58fb91930922336d41bcf8e5a9faa16fb2112e5e703260705960ccb05

    SHA512

    bd0dd3466cd33f029716020b9aaa3b904dc58eef303b396ce567cfe02f10eabc1e5433e4905b6304dd8a79c5fd0025bb2a4a15b2e116590f1d0673be0aaff7a9

  • memory/2832-10-0x0000000073D41000-0x0000000073D42000-memory.dmp

    Filesize

    4KB

  • memory/2832-11-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-12-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-13-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-14-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-17-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-19-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-20-0x0000000006500000-0x0000000009DB0000-memory.dmp

    Filesize

    56.7MB

  • memory/2832-21-0x0000000073D40000-0x00000000742EB000-memory.dmp

    Filesize

    5.7MB