Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 05:09

General

  • Target

    teur4.exe

  • Size

    615KB

  • MD5

    b3e46b8cbe83d0e6002173c37e8436a7

  • SHA1

    de994b98fac3f9499ee15c3ccf859ef05db14b62

  • SHA256

    35f20c8ae6e9990812b6ccf20321af32662bcf76d8c27a800f086255911bfb6b

  • SHA512

    5f9a07740d76c9407160029655a9b66a50e136b63abd071c79106d2339b6951c28397f441cec7c99d968706ed7bd4e01288459bf22e0489fca646eccf0dc57f8

  • SSDEEP

    12288:3Ui+Sybja8AwVReTD7oB++4clgVY3fYNKfPTksjUTyKJrVSo5flO9dJu:3KSybm8AaRiE+wy2PYNCQIWVd5cw

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\teur4.exe
    "C:\Users\Admin\AppData\Local\Temp\teur4.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\teur4.exe
      C:\Users\Admin\AppData\Local\Temp\teur4.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\teur4.exe" /TN vphawsPt128a /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN vphawsPt128a > C:\Users\Admin\AppData\Local\Temp\i5cJFMUSh.xml
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN vphawsPt128a
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\i5cJFMUSh.xml

    Filesize

    1KB

    MD5

    1eca9bc76acd870c5d51b9692717e77f

    SHA1

    f3045272c3a5356c030b78a3b280fd0debf177c9

    SHA256

    cc326b6e66ea9f19c3fa2230cd2fab514296f635359b64d91a780220fa7bf663

    SHA512

    c311fdabd4b554ca971dfad55cf232634144c9a08081a57593c7deb61713b58f98a5d6b921b46f698817f76fcc48482440a64e042fb03decd01629d1d1e463b8

  • C:\Users\Admin\AppData\Local\Temp\teur4.exe

    Filesize

    615KB

    MD5

    2e38baeae2ba1db7d29fe16b8c74f93a

    SHA1

    d41e909eb38542032b064d033e139a2669092977

    SHA256

    2fa067156ae80576a9fc02f95e239f019ab67e65067f49c84b8339451b4d3b85

    SHA512

    bd842c00ae041856ebce20e043b208c64210f555187421c15b82837f67515e65762fd96a088bea8a72e4e5fc8358fd6aebda48c0e4c045276bb37eb4746df176

  • memory/2672-0-0x0000000000400000-0x000000000065C000-memory.dmp

    Filesize

    2.4MB

  • memory/2672-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/2672-7-0x00000000002A0000-0x000000000031E000-memory.dmp

    Filesize

    504KB

  • memory/2672-1-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/3028-30-0x0000000000260000-0x00000000002DE000-memory.dmp

    Filesize

    504KB

  • memory/3028-29-0x0000000000340000-0x00000000003AB000-memory.dmp

    Filesize

    428KB

  • memory/3028-28-0x0000000000400000-0x000000000065C000-memory.dmp

    Filesize

    2.4MB

  • memory/3028-23-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3028-51-0x0000000000400000-0x000000000065C000-memory.dmp

    Filesize

    2.4MB