Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 00:34
Static task
static1
Behavioral task
behavioral1
Sample
6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe
Resource
win10v2004-20220812-en
General
-
Target
6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe
-
Size
166KB
-
MD5
0ffce146d28d6b691490c83205a9ae50
-
SHA1
e75075391fcc666d7ec64a3752df474a5308cade
-
SHA256
6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655
-
SHA512
9f925dfcc2f8feaabe2ce0a1d536a4d04e765a9c9da3cca79c8252dfe0f57b646a1461e4fc9c624b1826897efb136ce3b7e7dd2452ba0b6188456fbeb3f7cff7
-
SSDEEP
3072:AQZ2HjtRWsfssW+qKgRCogXMyYAhcuEDeiLS87pAAL/oOL:m7fs2UCoIcrDJScLQW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1052 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nswitkh.exe 6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1052 1768 taskeng.exe 28 PID 1768 wrote to memory of 1052 1768 taskeng.exe 28 PID 1768 wrote to memory of 1052 1768 taskeng.exe 28 PID 1768 wrote to memory of 1052 1768 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe"C:\Users\Admin\AppData\Local\Temp\6ab1e3b5ce509aea6849c8bcec66821b4bd5c481236e2f0b12b95989f7fa4655.exe"1⤵
- Drops file in Program Files directory
PID:1392
-
C:\Windows\system32\taskeng.exetaskeng.exe {67A561F8-0A9F-4B32-9A57-A4D704C276B6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1052
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD55340da52d866ac7b63fac6e57a4e3fba
SHA11f898c9ba4a2f4e212ddab3976defabd1b6a1012
SHA256647c249c2ecaeca321b786ebc9ba1e4d87261b1041ebb9728e331f7dfeef2af9
SHA51248869ee31833ad354ba3e2fd000669aca443046e24b4bbf9fc09d7826b7cea37f09af1026e5e98086a6a00735abcd623942804f89c32a319e85b5cc646a0806a
-
Filesize
28KB
MD551b7b930a53f974340fa538b8ada6110
SHA14a833bf514d65259383bc0078cecda24e0d36f8f
SHA256a90728aa846bdfc746d57e5bf228dd8105c7efb3f76a1328bfd13d025cf17cb7
SHA5129e89138dad362a76961f99fb7e7531580f78d5701aabe84625fce6d629b437cb1c4919759959cee8c7ebc18775a1b04515fd88b0186c87b2835be209b6d7d8b6