Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/09/2024, 15:57
240921-td12yszhrd 721/09/2024, 15:56
240921-tdehys1cml 321/09/2024, 12:37
240921-ptr2rssglq 321/09/2024, 12:36
240921-ptcl3ssgkm 3Analysis
-
max time kernel
363s -
max time network
365s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21/09/2024, 15:57
General
-
Target
dhm6hb.zip
-
Size
1.4MB
-
MD5
c9dc50ae9c21b0b9c197cd8ed3933ce9
-
SHA1
e31a23ad267bb07f7e350152f7c238a0eae8f378
-
SHA256
ff63748d7e23e908dc77ef2ee99de79ea60d2d1e31df71f01bfda0f4d802ca65
-
SHA512
e184dd258cf4982eefbc48a6f0922ee4de1a844e00913cf7a0cfe17a29840fd3c038c0ec5432c9e223dc617b4baa6a9cefcaed48aabbf4cc77b5069255e212b9
-
SSDEEP
24576:ZJWZ7iMmQECwzEDSdiaKECn+6g+b4EDfpvC/ePXO36m7KJf4G6x:GiLpCwwDrEC+6g+bTNCSoel4Jx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 26 IoCs
-
System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dhm6hb.zip1⤵
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
- System Binary Proxy Execution: Verclsid
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\dhm6hb\" -ad -an -ai#7zMap8032:92:7zEvent77201⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2152 -s 1322⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2196 -s 1322⤵
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5ba4c1db75b72e0ecc48183563a8a723e
SHA119c97efadaca0b03b3ae3ede77650347576610e0
SHA256c8274583cf79fe6a46cfa15841d8ac0666a5cee11616bd329004f3838479be13
SHA512e37d8f2ac8d6cc1c395f2fe79efd1639da42b2db7f03d15c8d039dd60516f417c98c1a2d951280b384465267861160c49ca4c5b3e4d3156eacf7acd4af796671
-
Filesize
1.2MB
MD537268daa715f7756bee72c2a3479d4a0
SHA1f5ba072f9a8e3a73489b30febfb2fcf2073442b7
SHA2568092ce66892f6218283ef2acc11117b35782620ef347fa4d86629d38e2872fe4
SHA512998b87874eec11c6ad167ddca63e3f5678896eb5a192ae9296be1447a4bfbffc24022e8ca2b9b82758cacf0748019871e9f9f15f0762dbb73ef5385bf3fc4236