Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1download.zip
windows7-x64
1download.zip
windows10-2004-x64
1setup.exe
windows7-x64
7setup.exe
windows10-2004-x64
7setupapi.dll
windows7-x64
1setupapi.dll
windows10-2004-x64
1verifier.dll
windows7-x64
1verifier.dll
windows10-2004-x64
1version.dll
windows7-x64
1version.dll
windows10-2004-x64
3vulkan.dll
windows7-x64
3vulkan.dll
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2023, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
download.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
download.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
setupapi.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
setupapi.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
verifier.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
verifier.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
version.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
version.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
vulkan.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
vulkan.dll
Resource
win10v2004-20230221-en
General
-
Target
setup.exe
-
Size
445.4MB
-
MD5
b77fe22a340a87e451b4f5f062b7a1bc
-
SHA1
5fd3aedfb1340a6a921d305778a639f32bf0793c
-
SHA256
1b5f0b126d7116a817fcb25547f32af39c30daa28b29f1d489f1a67662da9c50
-
SHA512
8e2e982530c414475f15dd76d7f7b79fced453f8a9145090241a3d21584786d11a4f62ff612752676a853901bb588a4e42d6f7d23b28f7fc7716b135ce9984c1
-
SSDEEP
98304:GkLxL9c9WJPSHRzilwSzrgGZgffmfmpS4if/7eayQQ4y:xR9c9eqH9ilweGmfyS3fj/O
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation setup.tmp -
Executes dropped EXE 2 IoCs
pid Process 4912 setup.tmp 4144 setup.tmp -
Loads dropped DLL 2 IoCs
pid Process 4912 setup.tmp 4144 setup.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4144 set thread context of 3192 4144 setup.tmp 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2928 wrote to memory of 4912 2928 setup.exe 90 PID 2928 wrote to memory of 4912 2928 setup.exe 90 PID 2928 wrote to memory of 4912 2928 setup.exe 90 PID 4912 wrote to memory of 5080 4912 setup.tmp 93 PID 4912 wrote to memory of 5080 4912 setup.tmp 93 PID 4912 wrote to memory of 5080 4912 setup.tmp 93 PID 5080 wrote to memory of 4144 5080 setup.exe 94 PID 5080 wrote to memory of 4144 5080 setup.exe 94 PID 5080 wrote to memory of 4144 5080 setup.exe 94 PID 4144 wrote to memory of 3192 4144 setup.tmp 96 PID 4144 wrote to memory of 3192 4144 setup.tmp 96 PID 4144 wrote to memory of 3192 4144 setup.tmp 96 PID 4144 wrote to memory of 3192 4144 setup.tmp 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\is-UR9TV.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-UR9TV.tmp\setup.tmp" /SL5="$F0034,4797154,948736,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\is-PP4VI.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PP4VI.tmp\setup.tmp" /SL5="$100034,4797154,948736,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3192
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5c3eaba36ce47365730ceeff3830f9d2d
SHA10d65764bec452359610c090e751f7723201a0518
SHA256765a1b2b923103b40bcc41457d8c49a4091c85310585a4d550576f1cc079b4f3
SHA5124c0cc30c73928f2f2acf4c9044c5dc3677243c3ae99068740cb5651cac35ca54b35556a7c0562a254b2ed1bdf465a7b57d1a65f23acffdc99161adb9de5cd308
-
Filesize
308KB
MD5c3eaba36ce47365730ceeff3830f9d2d
SHA10d65764bec452359610c090e751f7723201a0518
SHA256765a1b2b923103b40bcc41457d8c49a4091c85310585a4d550576f1cc079b4f3
SHA5124c0cc30c73928f2f2acf4c9044c5dc3677243c3ae99068740cb5651cac35ca54b35556a7c0562a254b2ed1bdf465a7b57d1a65f23acffdc99161adb9de5cd308
-
Filesize
3.1MB
MD521ed2465bec636173ba17bc8b953badb
SHA1e79566305dbda8661e435092db36f5ac22d85559
SHA256bfa8b67c76ac0828d36502393c81163387017c7db980d10f9771686cc7b9b8e1
SHA5120713c453ea727673c7230d40a7ace6fb0599a0260666d4cb46c70731bf69d77874221c3c9dc36b4383986bbe3f631585e072ba10330bba307c501cdd7838df1b
-
Filesize
3.1MB
MD521ed2465bec636173ba17bc8b953badb
SHA1e79566305dbda8661e435092db36f5ac22d85559
SHA256bfa8b67c76ac0828d36502393c81163387017c7db980d10f9771686cc7b9b8e1
SHA5120713c453ea727673c7230d40a7ace6fb0599a0260666d4cb46c70731bf69d77874221c3c9dc36b4383986bbe3f631585e072ba10330bba307c501cdd7838df1b