Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-08-23...ch.exe

windows7-x64

7

2024-08-23...ch.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe

  • Size

    5.8MB

  • MD5

    ea39944f0d6314a20a56029845e02a4a

  • SHA1

    59f0ec70218086e979fac6eaa2f0a8e8a00f87ed

  • SHA256

    d0a4e9a4d5f555b88124d4811ce28b2d8f39d84fb615d6d43c80b72bd966a9bb

  • SHA512

    a0dac17d1a9bb8b6305d7fc85fb3d1f35417eb6ad51ed3e150efdc9b5af367884c0d9a8af1d154194f3452f88101b037aa9419cc039159990e05e138ab7b7839

  • SSDEEP

    49152:vzVnEQO3Cgrb/TbvO90d7HjmAFd4A64nsfJK/pJcBMfDF/4q4quspdkg6KhdvZfE:23C0/3x4rKhd0TEiN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\system32\schtasks.exe
      C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\VHrGKHwlsWhGGrelGRyt /F /TN ChromeUpdateTaskMachinCore
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2136
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
        "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
        3⤵
        • Executes dropped EXE
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VHrGKHwlsWhGGrelGRyt
    Filesize

    1KB

    MD5

    fa9abb1b81a73b8ce16f44219166da93

    SHA1

    6e36de843a7ac23ee934fc1bab975f508ab5704c

    SHA256

    ce6ec3451119af6a0f817766e94802e83c44d06caa97bd6abd0daa525c5268eb

    SHA512

    76ef6d4d208751f2e815a52ba7dd4b2df7a7ca818a38f6811987c0cb16f6f373ed5de6ba8c8d572e264a5fe965ae590d009e3f549747b3d2b6f7e1d991a8c616

    Download Submit

  • \Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    Filesize

    5.8MB

    MD5

    e7f5fa46e1a14a43df990c10b41ebdee

    SHA1

    e523138a5f7766cc9afc1d52deb53887fd0dc983

    SHA256

    94f819e05af0db90005cd2a5a023a9dfeb3fa40450ec06cde032cc8c848eaf8f

    SHA512

    06fba94795c94dbb20c259d20badf94e7a72412a07619f0f0f1bcc88c11de3334a24a83cec16235fc51df9782021208798c07d79dfb6dfd0c3fb8e4f58405234

    Download Submit