Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 04:33

General

  • Target

    d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe

  • Size

    2.7MB

  • MD5

    ac3ab242cda9abd60b9b5bce92c201c0

  • SHA1

    ad05cec66b8471ba6fad3afb7a2dc16215000555

  • SHA256

    d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41

  • SHA512

    4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113

  • SSDEEP

    49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
    "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe
      "C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 848
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe

    Filesize

    2.7MB

    MD5

    ea2bf0f98e449a2c59dff1f9fb09af97

    SHA1

    53cbbfd14a001acea01c7238889ae85655f53916

    SHA256

    816e85cc6582042f1474be9825bb38ec7d861ed77302e54240f718a71ede9b4f

    SHA512

    fa9424728ce18b1beaf967853d1aa6ed98b67e42f9ba1f8ea94ee1a4133ea125c277366ad532ddc652a468991c1bb9a380eed42a02476f07b60cc16a0e31dab6

  • \Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe

    Filesize

    2.7MB

    MD5

    c030475d0b475bb229d909ec7f2453ff

    SHA1

    cb4faf1181ee06447eed1c23fe59f16fe4d241d6

    SHA256

    081087f86099e6b85f57a4a7f71d355d6be40155c770f5bdee7fc86662b22454

    SHA512

    9683eaf0c00482fdfc05d2623f5ae23427a4934bc5b4e24a820484491fdfe279f6a0183cba957f1564d62c792975bf279f837914554e93ca0f3cc612f4dde9d3

  • memory/2160-29-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2160-30-0x00000000003B0000-0x0000000000672000-memory.dmp

    Filesize

    2.8MB

  • memory/2160-32-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2160-38-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-3-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-4-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-5-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-2-0x00000000070B0000-0x00000000072D4000-memory.dmp

    Filesize

    2.1MB

  • memory/2516-1-0x0000000000880000-0x0000000000B42000-memory.dmp

    Filesize

    2.8MB

  • memory/2516-0-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

  • memory/2516-31-0x0000000074280000-0x000000007496E000-memory.dmp

    Filesize

    6.9MB