Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 00:53
Static task
static1
Behavioral task
behavioral1
Sample
2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe
Resource
win10v2004-20220812-en
General
-
Target
2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe
-
Size
162KB
-
MD5
0ac18ae1df521bfb9b1a4cc4d2cbb170
-
SHA1
00b374204fd8effefbaa0ca002cc05a79d0f765d
-
SHA256
2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d
-
SHA512
253ddc30c960dafb407a11a5c70e5a8e3e1c290452d3c74892954d9c9859a6c87c82362b945f462b3240e4977c3bc4362484df901ee4196b4fc1865e58a57f7b
-
SSDEEP
3072:ZliwDUWyFcB9fu+JMl2uU82Ws7f9sjboPACTQembG4hY/i1vAE:ZldD1Yc7GIBgbzjbfLhRWE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1760 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nswitkh.exe 2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1760 1124 taskeng.exe 29 PID 1124 wrote to memory of 1760 1124 taskeng.exe 29 PID 1124 wrote to memory of 1760 1124 taskeng.exe 29 PID 1124 wrote to memory of 1760 1124 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe"C:\Users\Admin\AppData\Local\Temp\2a83a871b43545ff86640c2ae36bd3b64903f850dfd5ccc97acbe52b1f63839d.exe"1⤵
- Drops file in Program Files directory
PID:1892
-
C:\Windows\system32\taskeng.exetaskeng.exe {15CD5328-37FC-4AD2-9F4A-B007E8C8A588} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1760
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD557b0781f8c1279f11df5dcfc30e5404f
SHA17de6b4a75c189f684f49267cfda7f57f46862b04
SHA256b68d1f2155b7c0f23c03107f5e6bc7e3717ae73e3169cee9222b4845b53e154f
SHA5129dcb9e0c62a93f44df82804db48de65ff11114cd68ba0effa93b70c213a4ef202b9fe2298cf5d381c93a9485085e9191f8c9c084f809b3de1d9f8a54610052ad
-
Filesize
54KB
MD5e8321afd3d7fac12c921295bb260fb51
SHA1a044ca0b0540792589fb29dbfd96e429e387beb9
SHA25667763bbee1636aa28928c871bc32baac7ea79848f04fcfcea98f1d70330e09d1
SHA512c7252424a43626668e0d29996218093586762adf2a684a88df2b43e20f45874e3d417986260da28e3bb9f257bd4ac9354024dfe8e2f5e1a18560e7c1cc2be075