Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

21/09/2024, 15:57

240921-td12yszhrd 7

21/09/2024, 15:56

240921-tdehys1cml 3

21/09/2024, 12:37

240921-ptr2rssglq 3

21/09/2024, 12:36

240921-ptcl3ssgkm 3

Analysis

  • max time kernel
    363s
  • max time network
    365s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 15:57

General

  • Target

    dhm6hb.zip

  • Size

    1.4MB

  • MD5

    c9dc50ae9c21b0b9c197cd8ed3933ce9

  • SHA1

    e31a23ad267bb07f7e350152f7c238a0eae8f378

  • SHA256

    ff63748d7e23e908dc77ef2ee99de79ea60d2d1e31df71f01bfda0f4d802ca65

  • SHA512

    e184dd258cf4982eefbc48a6f0922ee4de1a844e00913cf7a0cfe17a29840fd3c038c0ec5432c9e223dc617b4baa6a9cefcaed48aabbf4cc77b5069255e212b9

  • SSDEEP

    24576:ZJWZ7iMmQECwzEDSdiaKECn+6g+b4EDfpvC/ePXO36m7KJf4G6x:GiLpCwwDrEC+6g+bTNCSoel4Jx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 26 IoCs
  • System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

    Adversaries may abuse Verclsid to proxy execution of malicious code.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dhm6hb.zip
    1⤵
      PID:2304
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
      • System Binary Proxy Execution: Verclsid
      PID:2692
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\dhm6hb\" -ad -an -ai#7zMap8032:92:7zEvent7720
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2876
    • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
      "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2152 -s 132
        2⤵
        • Loads dropped DLL
        PID:2644
    • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
      "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2196 -s 132
        2⤵
        • Loads dropped DLL
        PID:1000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll

      Filesize

      1.6MB

      MD5

      ba4c1db75b72e0ecc48183563a8a723e

      SHA1

      19c97efadaca0b03b3ae3ede77650347576610e0

      SHA256

      c8274583cf79fe6a46cfa15841d8ac0666a5cee11616bd329004f3838479be13

      SHA512

      e37d8f2ac8d6cc1c395f2fe79efd1639da42b2db7f03d15c8d039dd60516f417c98c1a2d951280b384465267861160c49ca4c5b3e4d3156eacf7acd4af796671

    • \Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe

      Filesize

      1.2MB

      MD5

      37268daa715f7756bee72c2a3479d4a0

      SHA1

      f5ba072f9a8e3a73489b30febfb2fcf2073442b7

      SHA256

      8092ce66892f6218283ef2acc11117b35782620ef347fa4d86629d38e2872fe4

      SHA512

      998b87874eec11c6ad167ddca63e3f5678896eb5a192ae9296be1447a4bfbffc24022e8ca2b9b82758cacf0748019871e9f9f15f0762dbb73ef5385bf3fc4236