Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 05:40

General

  • Target

    65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe

  • Size

    90KB

  • MD5

    da85e435f12df2ed8021698ce78f9b70

  • SHA1

    bba8120a2607f644c60dbc6cf4163b42f725c238

  • SHA256

    65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840

  • SHA512

    c6b13c7281acf4c9bc2faec07a88dfc23830a63b35779a85dc43c5a5d3e0ffc1c4b59e3f663eb8bf8122fb1d1189f1cc42536c6a99a5d69c0ab54b91aa9c5dfc

  • SSDEEP

    1536:r1Sbpfv5DOWknf7LAQkhB5EQr5PqNzH3EEIMrAgx29E9zt7Hp4h+DGm3/7qq:IbpfhDOW7hBhr4pX5r9x29E9z5HpZDGu

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
    "C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2612
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2896
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

    Filesize

    91KB

    MD5

    25b6b0fbd3b05d43315edaf25351e989

    SHA1

    24f226baf42a78cdaf78619f7c58cb3cb19da56e

    SHA256

    5b972c81667f114ed0672b23dc4d0d536ed224c4800427d69748a0dfaef167f5

    SHA512

    970e972c1e90e0996f6ee11896b4600fd80de141377cf347802b2678d66c9553de7af15874c221d4a7df022dcbfecf86d91431895fab81e9e0e76f9c59c69f62

  • \Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

    Filesize

    90KB

    MD5

    f0ce1e680faff28f012964a7815b12aa

    SHA1

    2efb56de6b415eab9372c7e63685deb6101b1c24

    SHA256

    ba95b1e15eaffa7b47cfb78ef7bbbb4a3995587378bc6a9641c5646f21202089

    SHA512

    56a30473bd0976e8cf88df4f8b8168ee892b68048444563d70424f3f050fd286231d15fda78872e1b047377cb89a9faa48ba9b2b806730ee7fdbc7a03e6d8529

  • memory/2300-25-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2300-42-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2416-21-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2612-38-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2752-33-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/2828-27-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB