Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f311887894...0N.exe

windows7-x64

7

f311887894...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f311887894ff39840a5e713b58489d00N.exe

  • Size

    463KB

  • MD5

    f311887894ff39840a5e713b58489d00

  • SHA1

    d1f64b06bdff758b403c57d3977bba2e1a628c8d

  • SHA256

    ec11ac94782a7a6d4b6f6026ee0064b42aa4c7c14d9b6459cd9db396aebcbdc2

  • SHA512

    33430508c86c6c160bf1fa4d7ada993c5610064fc1db78a4abfd6ef3cdcea7d69f7e5f403c1b97efc321ef06992d0c807a95624b418d13be80a090196b66613c

  • SSDEEP

    12288:Grlc87eqqV5e+wBV6O+1QlgMaAbhNXD4G4gvqSWri28:GrSqqHeVBxNGMaAbhNzp4gvqSQ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\f311887894ff39840a5e713b58489d00N.exe
      "C:\Users\Admin\AppData\Local\Temp\f311887894ff39840a5e713b58489d00N.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Roaming\ctfmance\subsfWrp.exe
        "C:\Users\Admin\AppData\Roaming\ctfmance"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Users\Admin\AppData\Local\Temp\~385F.tmp
          1392 474632 1464 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1212
  • C:\Windows\SysWOW64\AtBrokup.exe
    C:\Windows\SysWOW64\AtBrokup.exe -s
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~385F.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • \Users\Admin\AppData\Roaming\ctfmance\subsfWrp.exe
    Filesize

    463KB

    MD5

    7b1ad9b9383598a8436f5c58632b8e5c

    SHA1

    36303718addec07187045a2a5cedd761e37255f1

    SHA256

    710b6046826e1226e3d7cf602b566ef4c8b5c750ad15f1f568648c94294a2ad7

    SHA512

    ac53c98dc86d35385ff3b0783e989c3924ab0bd744c983e4d4f268a6a1f202e334828039cc22cced17f024bf234d405ddd50043c9c01a22df853e6f97affa918

    Download Submit

  • memory/1392-22-0x00000000041B0000-0x0000000004233000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1392-27-0x0000000002A70000-0x0000000002A76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1392-31-0x0000000002A80000-0x0000000002A8D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1392-21-0x00000000041B0000-0x0000000004233000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1392-23-0x00000000041B0000-0x0000000004233000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1464-25-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1464-17-0x00000000002C0000-0x00000000002C5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1464-16-0x0000000000220000-0x000000000029C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1464-13-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2896-36-0x0000000000300000-0x000000000037C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2896-35-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3036-26-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3036-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3036-10-0x0000000000380000-0x00000000003F9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3036-1-0x00000000002A0000-0x000000000031C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3036-34-0x00000000002A0000-0x000000000031C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3036-11-0x0000000000380000-0x00000000003F9000-memory.dmp

    Filesize

    484KB

    Download