Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
133d43885a96c4e24a1898e89cb8662b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
133d43885a96c4e24a1898e89cb8662b.exe
Resource
win10v2004-20231222-en
General
-
Target
133d43885a96c4e24a1898e89cb8662b.exe
-
Size
40KB
-
MD5
133d43885a96c4e24a1898e89cb8662b
-
SHA1
1ddce979af178cc587175138971d39a12701a0d5
-
SHA256
00a883b1f66bb54dd01b0a0f49f68380d11e034aa2a6af70536506bf028bf589
-
SHA512
eb93af350332516d68f19075df42aa77751b92c43dd1650dfe066bf54e91d1691325d3bf8b780a0cbef300f1a8377f59afffb3f0f07b9f1fb532cd9c1dd05e6a
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHjo:aqk/Zdic/qjh8w19JDHjo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2756 services.exe -
resource yara_rule behavioral1/memory/1936-4-0x00000000001B0000-0x00000000001B8000-memory.dmp upx behavioral1/files/0x0034000000016312-7.dat upx behavioral1/memory/2756-10-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-25-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-34-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-35-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-39-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-61-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-64-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-68-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-69-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2756-73-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 133d43885a96c4e24a1898e89cb8662b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 133d43885a96c4e24a1898e89cb8662b.exe File opened for modification C:\Windows\java.exe 133d43885a96c4e24a1898e89cb8662b.exe File created C:\Windows\java.exe 133d43885a96c4e24a1898e89cb8662b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2756 1936 133d43885a96c4e24a1898e89cb8662b.exe 28 PID 1936 wrote to memory of 2756 1936 133d43885a96c4e24a1898e89cb8662b.exe 28 PID 1936 wrote to memory of 2756 1936 133d43885a96c4e24a1898e89cb8662b.exe 28 PID 1936 wrote to memory of 2756 1936 133d43885a96c4e24a1898e89cb8662b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\133d43885a96c4e24a1898e89cb8662b.exe"C:\Users\Admin\AppData\Local\Temp\133d43885a96c4e24a1898e89cb8662b.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD521902dd8d16a0ded0dcee0ed22452e32
SHA11e4b1402fdbe33daa764d6041d5c1ee48b9f14ba
SHA256e9c2cd399137ccf3ed74e458102cc69df7454992600f0dbba3f3282e7ccdf4a9
SHA51225325c115ab236e6aa899e236dc631371b671b8d09f31aff7b0bed3296723701d9d1c5cbce27ed1f3a75831f338497ba8d34bdb79595cad4c6ec23f8a1fce6dc
-
Filesize
40KB
MD507010752ade082e3075053979ae3f979
SHA1463f22786b61e21267f6d6bb44c8a77599ed3135
SHA256b11cf1569b435e9ad2019e92f8f587464779b40c95795e0b2a18a8d795c214fb
SHA512da77245a9ef1ccf71454f3eecfd152f058979f09ec8ebf8d4dbafbe701d6f439c53bc44f20791796554541c1f1e22b1e9bd3d8a8a8b8328ce4054b4c60406a51
-
Filesize
1KB
MD5274b49a449e78fc98f2c12ba09b2bbdb
SHA17896e876f497db6e10d8bf6907f05a9b53e7f3c8
SHA25657dd37ce4c93257fe8f9c396c1336cbd02876107e8607ff42d0da5187b41a773
SHA512835faa373124f52bf139f2819124b6dd9041bde46b0b43de8b47c33b3787c3768018eb5a51aee15bdfcca29e3b6470adfcb00b773c0096bc3fc32e36afcf4718
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2