Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

install_ch...rl.exe

windows7-x64

3

install_ch...rl.exe

windows10-2004-x64

7

install_ch...db.exe

windows7-x64

3

install_ch...db.exe

windows10-2004-x64

3

install_ch...dk.exe

windows7-x64

3

install_ch...dk.exe

windows10-2004-x64

3

install_ch...ta.exe

windows7-x64

3

install_ch...ta.exe

windows10-2004-x64

3

restart.exe

windows7-x64

3

restart.exe

windows10-2004-x64

7

startup.exe

windows7-x64

3

startup.exe

windows10-2004-x64

3

stop.exe

windows7-x64

3

stop.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    install_check/check_curl.exe

  • Size

    89KB

  • MD5

    2f2f73335394b46636755905fcea2cc9

  • SHA1

    5de63f89b0ad2c454574c86f60f49bfa79e80d0c

  • SHA256

    fd0dd71d6e2354d620f902c6b1a0ef7178d116fd9ec1463a690ae2dae454c2a6

  • SHA512

    a047cf969eac47b930740b665f48e4d367ee88195142c386d5621a094b7afd3eb97ec85df7a2f8f2ac027da88718f29e02abde29f6fbbc7fbeda05565028eb6a

  • SSDEEP

    1536:rX7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfRwy+O8:rLFfHgTWmCRkGbKGLeNTBfR0

Score
3/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe
    "C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C449.tmp\C44A.tmp\C44B.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\mshta.exe
        mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::","","runas",0)(window.close)
        3⤵
        • Access Token Manipulation: Create Process with Token
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exe
            C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C561.tmp\C562.tmp\C563.bat C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exe ::"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1860
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c dir /a-d|find "temp"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1572
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" dir /a-d"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2780
                • C:\Windows\SysWOW64\find.exe
                  find "temp"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C449.tmp\C44A.tmp\C44B.bat
    Filesize

    721B

    MD5

    47b37a734ad6b4e35a4461a40616c0e8

    SHA1

    991fc8f8382b0a2b214419ab6f25d59b06fe3c52

    SHA256

    a1c96a7c5f25e7c1ee323e5c345db68473fa53a497a876a6510cbe6b135c974d

    SHA512

    71e5968bb300e38d35f6ce203552ae70be5682df6c4442e53dd531dfa6500f817d4912df33d36fa132b12f29c2ff3601fec1fe2308e0c990b685f914d227ba85

    Download Submit