Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4006c709fa...a1.exe

windows7-x64

8

4006c709fa...a1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe

  • Size

    231KB

  • MD5

    d7f7dfa376ae79bae6a0d295380998de

  • SHA1

    fba36039752c612c0ddb8ad6d1977f956bfe0276

  • SHA256

    4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1

  • SHA512

    bdaa5a2b8d650ad5a091e6eca0deb62de63d080f9df2fe127a58d3432681d33f399d0575f97278e0af3566bda008295783981345b906d37a44c5a6a3d746f576

  • SSDEEP

    3072:N1JbT4aQQlT4aI4AgymsMU5a44Av2E8heNdqMREhJLsyV9GGWPGWgnVFqQMeJq7n:NPTh45gy/R4Av2TS9EhN1qQMeQLtDB

Score
8/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe
    "C:\Users\Admin\AppData\Local\Temp\4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\Temp\asw.d5f30055ddbc5232\avast_one_essential_setup_online_x64.exe
      "C:\Windows\Temp\asw.d5f30055ddbc5232\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_003_999_d8h_m:dlid_AVAST-ONE-FREE-WIN-PP /ga_clientid:700af71b-e5d4-4083-84b9-7e12d0901708 /edat_dir:C:\Windows\Temp\asw.d5f30055ddbc5232
      2⤵
      • Executes dropped EXE
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\asw.d5f30055ddbc5232\avast_one_essential_setup_online_x64.exe
    Filesize

    9.5MB

    MD5

    3cb9ff19d049fffc674a3d8b01e98376

    SHA1

    eef0fc5734f9d7d386b926e53f96efefbb94673b

    SHA256

    4f5e15321ab95d6a07c4d2e2317eaedcf3d377200cc3b4ca63247477660b3a98

    SHA512

    03af8a34b03010a4846bd6d99c2421b4cccbe176307c279f8ff8544b1a776511ec625c1e56381fd94b863b00d2f9faf9d1e0dde6c1fa4cee8c5065d83a25918b

    Download Submit