Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
Resource
win10v2004-20220812-en
General
-
Target
41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
-
Size
133KB
-
MD5
a03b16f4e03f6b67fb5943fd078a4d50
-
SHA1
4e5c187bb1442ce7dcd828bcd2f26884c45a98c2
-
SHA256
41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871
-
SHA512
f6083ae30a4e2f75a27ef3e65124f746fc246e4874d2488fe4a4d5b154ff80a789d2a5a08199ca06f4f2406ddb043dcedc1a2c04453cef8841662e89672265ea
-
SSDEEP
3072:HAwEvRRdqcqpaiVPfGHO4xATzlypxd7CQn3pij:TcRWcslXWRpjCS5M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1904 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nswitkh.exe 41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 820 wrote to memory of 1904 820 taskeng.exe 29 PID 820 wrote to memory of 1904 820 taskeng.exe 29 PID 820 wrote to memory of 1904 820 taskeng.exe 29 PID 820 wrote to memory of 1904 820 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe"C:\Users\Admin\AppData\Local\Temp\41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe"1⤵
- Drops file in Program Files directory
PID:952
-
C:\Windows\system32\taskeng.exetaskeng.exe {B22488B7-5A8F-4C04-916F-5BDFAB68C106} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5d41d81b450004fe8a3f6b373788b6977
SHA1bd46b8db2e79a2f7d92d0e97a46329ac55f05aa1
SHA256d285aeee5df87f5db6858fecf0b398a5eec48a3ca05296b7fd26517785aafb96
SHA5123a455d2026146a07710d9fa51a411ec9999336e4251a5d565338ccc798b9d6c0117af59117bc0eeb417426980c08fa45e2a67fcefb96fda31e615c8f082a0cf2
-
Filesize
133KB
MD5d41d81b450004fe8a3f6b373788b6977
SHA1bd46b8db2e79a2f7d92d0e97a46329ac55f05aa1
SHA256d285aeee5df87f5db6858fecf0b398a5eec48a3ca05296b7fd26517785aafb96
SHA5123a455d2026146a07710d9fa51a411ec9999336e4251a5d565338ccc798b9d6c0117af59117bc0eeb417426980c08fa45e2a67fcefb96fda31e615c8f082a0cf2