Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

0b42c766b0...32.exe

windows7-x64

10

11f9bb7186...6b.exe

windows7-x64

3

childmoney.exe

windows7-x64

3

1c281ece6f...2a.exe

windows7-x64

3

32bb88fa59...4b.exe

windows7-x64

3

5056cbe553...3d.exe

windows7-x64

3

50e0f20cb3...69.exe

windows7-x64

6

57bbc27030...7b.exe

windows7-x64

3

65a84ff98e...02.exe

windows7-x64

10

6db6ac1ce8...be.exe

windows7-x64

10

72745efc42...46.exe

windows7-x64

10

751fb51baa...fe.exe

windows7-x64

10

95e95a5be0...63.exe

windows7-x64

3

a935725900...07.exe

windows7-x64

3

c190931380...74.dll

windows7-x64

3

dafc6c03ef...19.exe

windows7-x64

1

e3c6c48ba7...87.exe

windows7-x64

10

edbb453cc0...46.exe

windows7-x64

5

f633e6f255...4b.exe

windows7-x64

fda537bc5e...ad.exe

windows7-x64

3

Analysis

  • max time kernel
    4s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 19:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe

  • Size

    160KB

  • MD5

    f0949d80cff63963625fcdf1fbb77ca8

  • SHA1

    9e640241e9b3c11af65665d6ebde18d762bf2d2a

  • SHA256

    f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b

  • SHA512

    bc97e3a430a7f7d09acb7dd1ca5cb9d100141371355fab7768155a9265c56777e06de67ffe7b8ad82b762f8306ae64534abc8ad7947b3f0c1e86d6487e5f1f51

  • SSDEEP

    3072:usN4+W+ogJ4i9zgCTwTmYPtZNpVvQVZQUrUMyCZLFJd3:VDTJKzqOuVzAMyOp

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe
    "C:\Users\Admin\AppData\Local\Temp\f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe
      "C:\Users\Admin\AppData\Local\Temp\f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe"
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
        C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
          "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2108
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2816
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:3052

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\fpath.txt
        Filesize

        102B

        MD5

        f9673770cdf4bec26cb3e95535277952

        SHA1

        0d30ed262896a65a2a81ea7fb0fc500659d69313

        SHA256

        5c9d2194ea06e813f50eae4f0bec84b61c7485c9dede30e4a750d41e2508d3f6

        SHA512

        f9b4425718b25675599042e1fe467f5e9926042183c4f4fc71f79a6014db0a266fb9c4ea7e985852b026bf825c38ba10f3759e94757ee363afdcbc274d8f291e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\x2z8.exe
        Filesize

        160KB

        MD5

        f0949d80cff63963625fcdf1fbb77ca8

        SHA1

        9e640241e9b3c11af65665d6ebde18d762bf2d2a

        SHA256

        f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b

        SHA512

        bc97e3a430a7f7d09acb7dd1ca5cb9d100141371355fab7768155a9265c56777e06de67ffe7b8ad82b762f8306ae64534abc8ad7947b3f0c1e86d6487e5f1f51

        Download Submit

      • memory/1624-0-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/1624-1-0x00000000001B0000-0x00000000001B2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1624-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-10-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/2080-3-0x000000002AA00000-0x000000002AA04000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2080-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2080-9-0x000000002AA00000-0x000000002AA04000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2080-11-0x000000002AA00000-0x000000002AA04000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2080-6-0x000000002AA00000-0x000000002AA04000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2108-35-0x000000002AA00000-0x000000002AA04000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2340-21-0x00000000003C0000-0x00000000003C2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2340-22-0x00000000003D0000-0x00000000003D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2340-34-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

        Download

      • memory/2816-36-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB

        Download