Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
2a4505b182629cf5fb8ede078b70c699.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2a4505b182629cf5fb8ede078b70c699.exe
Resource
win10v2004-20231215-en
General
-
Target
2a4505b182629cf5fb8ede078b70c699.exe
-
Size
28KB
-
MD5
2a4505b182629cf5fb8ede078b70c699
-
SHA1
893513d62906c2800b0a83e99bc24de28ecdcb3a
-
SHA256
58dff546c678714bbfaf8d84d1f29f41ed74a7eed60d2512665a19d572a36f1d
-
SHA512
c4b1cce06e150319d99b94b01b085c5fd79e5bf0a6bb5ea759cf18bb9887a5bdbe7753da2e25192d4a7ad8958971a9fb0b37c57d8f637a22cc911cd7133fd39e
-
SSDEEP
384:gy+ppmj1VlhX4WaXzfwwXNyiDx10jaQpRveBj0YUSHNpXoEqPQ0:gy+ppmjflhXDMzfww9VypRvyLVqp
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\978A39.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2372 svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2a4505b182629cf5fb8ede078b70c699.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2a4505b182629cf5fb8ede078b70c699.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2212 2a4505b182629cf5fb8ede078b70c699.exe 2212 2a4505b182629cf5fb8ede078b70c699.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2372 2212 2a4505b182629cf5fb8ede078b70c699.exe 28 PID 2212 wrote to memory of 2372 2212 2a4505b182629cf5fb8ede078b70c699.exe 28 PID 2212 wrote to memory of 2372 2212 2a4505b182629cf5fb8ede078b70c699.exe 28 PID 2212 wrote to memory of 2372 2212 2a4505b182629cf5fb8ede078b70c699.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a4505b182629cf5fb8ede078b70c699.exe"C:\Users\Admin\AppData\Local\Temp\2a4505b182629cf5fb8ede078b70c699.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Adds policy Run key to start application
- Deletes itself
PID:2372
-