Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
b24950938d76bae4c97176c7794cd96d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24950938d76bae4c97176c7794cd96d.exe
Resource
win10v2004-20240226-en
General
-
Target
b24950938d76bae4c97176c7794cd96d.exe
-
Size
40KB
-
MD5
b24950938d76bae4c97176c7794cd96d
-
SHA1
2e1c8746df7f9a8739ec7fae091e43b0e5b828d0
-
SHA256
b146af68e7e5574de82e90684e8383a4a274005d48be616ca45a98aa98974a41
-
SHA512
973c2f9a01217f3458c833b5e3165712a483a400a0f29477049009e0ae599ed430014e7e941b929225366ced173c634ff6d83ee5dd6f7dc15b2b497c3cebea15
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHd:aqk/Zdic/qjh8w19JDHd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2076 services.exe -
resource yara_rule behavioral1/files/0x000a00000001225c-7.dat upx behavioral1/memory/1808-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-41-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-46-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-70-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-71-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2076-75-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" b24950938d76bae4c97176c7794cd96d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe b24950938d76bae4c97176c7794cd96d.exe File created C:\Windows\services.exe b24950938d76bae4c97176c7794cd96d.exe File opened for modification C:\Windows\java.exe b24950938d76bae4c97176c7794cd96d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2076 1808 b24950938d76bae4c97176c7794cd96d.exe 28 PID 1808 wrote to memory of 2076 1808 b24950938d76bae4c97176c7794cd96d.exe 28 PID 1808 wrote to memory of 2076 1808 b24950938d76bae4c97176c7794cd96d.exe 28 PID 1808 wrote to memory of 2076 1808 b24950938d76bae4c97176c7794cd96d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24950938d76bae4c97176c7794cd96d.exe"C:\Users\Admin\AppData\Local\Temp\b24950938d76bae4c97176c7794cd96d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5cc8c49180d78b5d5dd72983cbebdd6bc
SHA185b543c9aab0c5e70ee1c4aef1f1977dddbb5d6f
SHA256a7a1f6b778f5bf264ec5809e1891102bba23dd43092acb12a2d9b740c9d5b265
SHA512c4a14a5fa9ade6860fed45adf516afa551a2602a3a13fb5147c3a081e5200eca55a8cee07df9cf8f09b8b025f942255ccd577672d8635768bb9d6acb88adf0e0
-
Filesize
1KB
MD5b577b503bcffd9b88547ba3d9bec3685
SHA17b9d0dcb66de60ab8269d6c6e31ca00a8e586768
SHA256a923c43fd958c2ad31a76821938201ac647b88cc4b549ef6d21d24d51731f874
SHA5120b9130284d219e9711cedcaafebd89474ca66313efdab176e82be08764cae1922a7ecaa413f0898db22a920a81dde27ce6be8330fa7900be1aa2a5dae9ac218a
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2