Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe
Resource
win10v2004-20220812-en
General
-
Target
6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe
-
Size
136KB
-
MD5
9056c1942f1ed9a80fe1f1a39da09d90
-
SHA1
e54941af62967c7618577fe080b04c32f808bf50
-
SHA256
6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21
-
SHA512
1b2eff258bb0f6e416b3e37b2f34fde4fe5ff4ba7fcffd97543cec3397c81b119607269fc24d2aeebcdd7f4e5a7390c107715d53e6fa08cece1fe45554466ebf
-
SSDEEP
3072:pZ3sQnKWE58kSL5BybtSarantYanMFxmQOOgVw1c8oNAEEn:z3sQf4SHybt35XFxHOVw7oeE0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1588 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nswitkh.exe 6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1588 1716 taskeng.exe 29 PID 1716 wrote to memory of 1588 1716 taskeng.exe 29 PID 1716 wrote to memory of 1588 1716 taskeng.exe 29 PID 1716 wrote to memory of 1588 1716 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe"C:\Users\Admin\AppData\Local\Temp\6644071ffa5cb116ddd79a633d34c7e6d5cf9eacd09b62509663a5257e333c21.exe"1⤵
- Drops file in Program Files directory
PID:1032
-
C:\Windows\system32\taskeng.exetaskeng.exe {7F547DCF-AB6D-4DC1-9656-A53599CDC312} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1588
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5f1c095f804290d66d524ea7738850d4e
SHA192fb3e84ed3561380d1927daa7e07e2295550740
SHA256988eebca41643e3a96cab1c7bf8ee4ac61cde5bba5a2b608ac5a3f4c72cc4b4f
SHA512c13236f6bb047036b8a0295f4320918c9d75a659c0e94260d2b34aea28fb4a29858a09bc74edb117bc2e7d276cda9f8243f841183c74dd2bfe78693bc53e3adc
-
Filesize
136KB
MD5f1c095f804290d66d524ea7738850d4e
SHA192fb3e84ed3561380d1927daa7e07e2295550740
SHA256988eebca41643e3a96cab1c7bf8ee4ac61cde5bba5a2b608ac5a3f4c72cc4b4f
SHA512c13236f6bb047036b8a0295f4320918c9d75a659c0e94260d2b34aea28fb4a29858a09bc74edb117bc2e7d276cda9f8243f841183c74dd2bfe78693bc53e3adc