Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 07:25

General

  • Target

    721839f3b46046e609e0460fc7d66280N.exe

  • Size

    506KB

  • MD5

    721839f3b46046e609e0460fc7d66280

  • SHA1

    be5fd324888881f66a8c22dc91192d2b78f06a16

  • SHA256

    a7ff068df4e5cb90cfef8c4b5f6d512ca021ae9b71b111e701cfef53e953a960

  • SHA512

    5ddf274d2761c7184229a11ffeb4279bef19149a4ae0b9badfd43f87d4947aa730ec83bf72f5feef0e415f28dcac3177a77ec80776c43e3d7e9dfc6785523d9b

  • SSDEEP

    12288:DyQRUAXZNHvLiW4NJz5cY2vklltT1AV0MjoB5W+u:Dy5AXDHvLijd2cllpGV0MC59u

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe
    "C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\n5935\s5935.exe
      "C:\Users\Admin\AppData\Local\Temp\n5935\s5935.exe" ins.exe /e6126600 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f /v"C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\n5935\s5935.exe

    Filesize

    275KB

    MD5

    316287c0010874356127dd8b7bc17896

    SHA1

    0939ad854954393f052f5ba64b6c4b8e03a8866b

    SHA256

    69d0557e8d695a1d44ed91b643b93a01a2fd74056dc21bf334965f5045e8f4c9

    SHA512

    1d995b5e18bdf387a42d0029d20c1f2889fa70c5bc8895df674fc83e3b49bb2acd8031966b593cff2b72438bde929a50a7558adc1df5d8cae7097b8fedb39c1c

  • memory/2700-14-0x000007FEF65CE000-0x000007FEF65CF000-memory.dmp

    Filesize

    4KB

  • memory/2700-15-0x00000000002E0000-0x00000000002EA000-memory.dmp

    Filesize

    40KB

  • memory/2700-16-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-17-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-18-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

    Filesize

    9.6MB