Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 08:15
Static task
static1
Behavioral task
behavioral1
Sample
ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
Resource
win10v2004-20220812-en
General
-
Target
ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
-
Size
208KB
-
MD5
5696470dab2dd05cc18b4c194e584240
-
SHA1
e2e294a21ccc0ea6e30a80001436ff273b2e1bd8
-
SHA256
ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a
-
SHA512
5707972208b1254a379babf050cadfedcfa2b3b34b45ff463f169da61c0f4669110c24b8d308f2b760d48add4a80d3542e12b97a1675386f38eb81edd7fb38aa
-
SSDEEP
6144:GByL0NrMTObdBq6tsR7rQxFm1u5Gk6R9jw+:wXhBqvVcG1LkY9jw+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1916 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nswitkh.exe ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1916 1684 taskeng.exe 28 PID 1684 wrote to memory of 1916 1684 taskeng.exe 28 PID 1684 wrote to memory of 1916 1684 taskeng.exe 28 PID 1684 wrote to memory of 1916 1684 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe"C:\Users\Admin\AppData\Local\Temp\ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe"1⤵
- Drops file in Program Files directory
PID:1108
-
C:\Windows\system32\taskeng.exetaskeng.exe {F0C44BA1-99BD-4D47-BAE0-B5C84329EC1D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1916
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5eff393397e69399bfe1d65fe31dc6f01
SHA1f7175f17d096c458ed0c5827932115deaca3f0e9
SHA2568139488fe6f97cb82fafe827e8eebc9f0e6fc7cb2194585d06139bb59e78b1d9
SHA5127a8175c966ac31c3cf3f147fdb326f41f160d520c7ad423e20f31474b4aa50ae9db5567d546d335ef92da1f15db84991402768c1c514d477ecc80fd1e9617067
-
Filesize
208KB
MD5eff393397e69399bfe1d65fe31dc6f01
SHA1f7175f17d096c458ed0c5827932115deaca3f0e9
SHA2568139488fe6f97cb82fafe827e8eebc9f0e6fc7cb2194585d06139bb59e78b1d9
SHA5127a8175c966ac31c3cf3f147fdb326f41f160d520c7ad423e20f31474b4aa50ae9db5567d546d335ef92da1f15db84991402768c1c514d477ecc80fd1e9617067