Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
225s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 02:10
Behavioral task
behavioral1
Sample
82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe
Resource
win7-20221111-en
General
-
Target
82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe
-
Size
921KB
-
MD5
9fdd78f392b72b603acb0158fb1c4cd8
-
SHA1
ee199a4156ff5e1eb8ef19fd336f4ea592309ad3
-
SHA256
82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715
-
SHA512
3cea0b92d8feeb80594f2f334e24e36911a08b0596caf3cf2bc36f314b0120832ffa60d191331b6cb2e2ac348116d39127f7a66610e6558cb60e939b3bf5e280
-
SSDEEP
24576:MD6YMwAfJAFF6B0rGkvRVuLhMaXVTFF3CflX70IXSLO:M+YMwOJAF02JGhtXtFFSflL0I
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe -
resource yara_rule behavioral1/memory/692-54-0x0000000000400000-0x000000000060B000-memory.dmp themida behavioral1/memory/692-58-0x0000000000400000-0x000000000060B000-memory.dmp themida behavioral1/memory/692-57-0x0000000000400000-0x000000000060B000-memory.dmp themida behavioral1/memory/692-59-0x0000000000400000-0x000000000060B000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 692 set thread context of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 692 wrote to memory of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28 PID 692 wrote to memory of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28 PID 692 wrote to memory of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28 PID 692 wrote to memory of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28 PID 692 wrote to memory of 1968 692 82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe"C:\Users\Admin\AppData\Local\Temp\82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe2⤵PID:1968
-