Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

dhm6hb.zip

windows7-x64

7

dhm6hb.zip

windows10-2004-x64

7

Resubmissions

21/09/2024, 15:57

240921-td12yszhrd 7

21/09/2024, 15:56

240921-tdehys1cml 3

21/09/2024, 12:37

240921-ptr2rssglq 3

21/09/2024, 12:36

240921-ptcl3ssgkm 3

Analysis

  • max time kernel
    599s
  • max time network
    440s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dhm6hb.zip

  • Size

    1.4MB

  • MD5

    c9dc50ae9c21b0b9c197cd8ed3933ce9

  • SHA1

    e31a23ad267bb07f7e350152f7c238a0eae8f378

  • SHA256

    ff63748d7e23e908dc77ef2ee99de79ea60d2d1e31df71f01bfda0f4d802ca65

  • SHA512

    e184dd258cf4982eefbc48a6f0922ee4de1a844e00913cf7a0cfe17a29840fd3c038c0ec5432c9e223dc617b4baa6a9cefcaed48aabbf4cc77b5069255e212b9

  • SSDEEP

    24576:ZJWZ7iMmQECwzEDSdiaKECn+6g+b4EDfpvC/ePXO36m7KJf4G6x:GiLpCwwDrEC+6g+bTNCSoel4Jx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dhm6hb.zip
    1⤵
      PID:1140
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3164
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\dhm6hb\" -ad -an -ai#7zMap24521:92:7zEvent515
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4988
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1536
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:532
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:8
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3520
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3240
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3064
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe" C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.dll
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2480
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4040
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3556
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1476
      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        "C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2432

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\dhm6hb\Artemis.exe
        Filesize

        1.2MB

        MD5

        37268daa715f7756bee72c2a3479d4a0

        SHA1

        f5ba072f9a8e3a73489b30febfb2fcf2073442b7

        SHA256

        8092ce66892f6218283ef2acc11117b35782620ef347fa4d86629d38e2872fe4

        SHA512

        998b87874eec11c6ad167ddca63e3f5678896eb5a192ae9296be1447a4bfbffc24022e8ca2b9b82758cacf0748019871e9f9f15f0762dbb73ef5385bf3fc4236

        Download Submit

      • memory/3208-11-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-12-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-13-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-23-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-22-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-21-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-20-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-19-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-18-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-17-0x000001E058FC0000-0x000001E058FC1000-memory.dmp

        Filesize

        4KB

        Download