Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
191s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
安装说明.url
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
安装说明.url
Resource
win10v2004-20231215-en
General
-
Target
setup.exe
-
Size
1.8MB
-
MD5
841451e01863ba09a3a7327da616e642
-
SHA1
735a3eb50f247fe6bd13e8a8f40eb8741f19642c
-
SHA256
7dbe11f7b8cbc7f7eba8311ae51cdb6c8def800f04401c44306b04de812cb927
-
SHA512
2b17d0fec6124ca778e4a0ba761501f138dbe2e7010dcfe0c3b036ce706b3ba9bc3fba0e1f8aeccc25c6cf2d17c69650feeffc91736af69ecc0d35cfe427bc4b
-
SSDEEP
49152:gGpT0dFZSi7Tb4T7xC/4K20TT2xzBpux3y1rs3xHE/lz0:9pIdSiruo/4K20TT2xlMk9CdEC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2676 is-RDG3L.tmp -
Loads dropped DLL 4 IoCs
pid Process 2544 setup.exe 2676 is-RDG3L.tmp 2676 is-RDG3L.tmp 2676 is-RDG3L.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2676 is-RDG3L.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29 PID 2544 wrote to memory of 2676 2544 setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp"C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp" /SL4 $4015E "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1595381 496642⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357KB
MD5b70eb52c748360109f929037ab1b21aa
SHA1b4efa7389848c3345a365547f6de31d3535a7869
SHA2564d8d3e10bfd9cf62d0af5afe77e33ca78e68bea5742a382cabc2fa19d9a2f745
SHA512b5c0e80c0fd5442558fe7b50296beba25e53cbe41ba4ce16d2d9f705259cb8ca011a440f765cb3255059ca8c46c8c7cce8676a62de8a499578aff7723d3dff14
-
Filesize
640KB
MD58cd4fecf8aaab5a7fac8fc7f3a317811
SHA109296b0c507923a9211e87bb4a8198902e2ec94e
SHA256dcd512ea07739c4a9bd5b3aed0f4ac4d8528c1b95270fd4482150e4c067122a8
SHA512fd52a418bb44fe5ca147d67848824293d530b7431747438d68cf1775aa0a8208c5cefb5f73a34f80f3c35769982067b28cc3af9f95117be338571cd8afcd31a0
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
320KB
MD5be6914cc0b7c94d87526f4de0d74cff4
SHA124c624d8291f706df6d568173f913b231367bb87
SHA2561d5205c962ceacd7a9fabeffe0c39217dc682f3f474b140d3f36680e18810dc4
SHA512c894086e14d2b29cc78be8107bcdd453614743b2a47820e9f1269ed512f1f219cdec24a5809f4e081c7f1c27f6126de7cd2382fbeedd35266f814cb26d75bbae