Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/09/2024, 15:57
240921-td12yszhrd 721/09/2024, 15:56
240921-tdehys1cml 321/09/2024, 12:37
240921-ptr2rssglq 321/09/2024, 12:36
240921-ptcl3ssgkm 3Analysis
-
max time kernel
363s -
max time network
365s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
dhm6hb.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dhm6hb.zip
Resource
win10v2004-20240802-en
General
-
Target
dhm6hb.zip
-
Size
1.4MB
-
MD5
c9dc50ae9c21b0b9c197cd8ed3933ce9
-
SHA1
e31a23ad267bb07f7e350152f7c238a0eae8f378
-
SHA256
ff63748d7e23e908dc77ef2ee99de79ea60d2d1e31df71f01bfda0f4d802ca65
-
SHA512
e184dd258cf4982eefbc48a6f0922ee4de1a844e00913cf7a0cfe17a29840fd3c038c0ec5432c9e223dc617b4baa6a9cefcaed48aabbf4cc77b5069255e212b9
-
SSDEEP
24576:ZJWZ7iMmQECwzEDSdiaKECn+6g+b4EDfpvC/ePXO36m7KJf4G6x:GiLpCwwDrEC+6g+bTNCSoel4Jx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2152 Artemis.exe 2196 Artemis.exe -
Loads dropped DLL 26 IoCs
pid Process 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 2592 Process not Found 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1668 Process not Found 1000 WerFault.exe 1000 WerFault.exe 1000 WerFault.exe -
System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
pid Process 2692 verclsid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2152 Artemis.exe 2196 Artemis.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2876 7zG.exe Token: 35 2876 7zG.exe Token: SeSecurityPrivilege 2876 7zG.exe Token: SeSecurityPrivilege 2876 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2876 7zG.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2644 2152 Artemis.exe 36 PID 2152 wrote to memory of 2644 2152 Artemis.exe 36 PID 2152 wrote to memory of 2644 2152 Artemis.exe 36 PID 2196 wrote to memory of 1000 2196 Artemis.exe 39 PID 2196 wrote to memory of 1000 2196 Artemis.exe 39 PID 2196 wrote to memory of 1000 2196 Artemis.exe 39
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dhm6hb.zip1⤵PID:2304
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
- System Binary Proxy Execution: Verclsid
PID:2692
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\dhm6hb\" -ad -an -ai#7zMap8032:92:7zEvent77201⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2876
-
C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2152 -s 1322⤵
- Loads dropped DLL
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2196 -s 1322⤵
- Loads dropped DLL
PID:1000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5ba4c1db75b72e0ecc48183563a8a723e
SHA119c97efadaca0b03b3ae3ede77650347576610e0
SHA256c8274583cf79fe6a46cfa15841d8ac0666a5cee11616bd329004f3838479be13
SHA512e37d8f2ac8d6cc1c395f2fe79efd1639da42b2db7f03d15c8d039dd60516f417c98c1a2d951280b384465267861160c49ca4c5b3e4d3156eacf7acd4af796671
-
Filesize
1.2MB
MD537268daa715f7756bee72c2a3479d4a0
SHA1f5ba072f9a8e3a73489b30febfb2fcf2073442b7
SHA2568092ce66892f6218283ef2acc11117b35782620ef347fa4d86629d38e2872fe4
SHA512998b87874eec11c6ad167ddca63e3f5678896eb5a192ae9296be1447a4bfbffc24022e8ca2b9b82758cacf0748019871e9f9f15f0762dbb73ef5385bf3fc4236