Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
192s -
max time network
226s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 21:07
Behavioral task
behavioral1
Sample
3cc459c79a91b295877528ada8f56c56.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3cc459c79a91b295877528ada8f56c56.exe
Resource
win10v2004-20231215-en
General
-
Target
3cc459c79a91b295877528ada8f56c56.exe
-
Size
50KB
-
MD5
3cc459c79a91b295877528ada8f56c56
-
SHA1
9d894c7e220fe02d29c4da9092ad4174326787c6
-
SHA256
5a7eccf9dd4b02b2b134ac0acf10d6db32a3e5778455d81750f8827571c9100e
-
SHA512
03e6e3ffc00a8a6c0c9ab189879403ca8542092611a17fc530f32765a28d86de6e624b9955fd188e0517475f76632bde0cfa231752d0bb8e4610ad501dacba2e
-
SSDEEP
1536:3OQ5F+U+337lxJpKE5gJLcxB3pwEidGkq5:3p5kU+Zpz54wtOEmNq5
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate svchost.exe -
resource yara_rule behavioral1/memory/2308-0-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Windows\\System32\\aaaaaaaa.exe" 3cc459c79a91b295877528ada8f56c56.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Users\\Admin\\aaaaaaaa.exe" 3cc459c79a91b295877528ada8f56c56.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\aaaaaaaa.exe 3cc459c79a91b295877528ada8f56c56.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2308 set thread context of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29 PID 2308 wrote to memory of 2580 2308 3cc459c79a91b295877528ada8f56c56.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc459c79a91b295877528ada8f56c56.exe"C:\Users\Admin\AppData\Local\Temp\3cc459c79a91b295877528ada8f56c56.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2580
-