Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
b249c3b71582873b624c95ca35749e4c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b249c3b71582873b624c95ca35749e4c.exe
Resource
win10v2004-20240226-en
General
-
Target
b249c3b71582873b624c95ca35749e4c.exe
-
Size
233KB
-
MD5
b249c3b71582873b624c95ca35749e4c
-
SHA1
c43865e9c426ca74337b9ed1ed6cd8aee7f4341b
-
SHA256
c47f904de040740820b09c3790e111189266a14875ac4422ae1002be5f4eab5d
-
SHA512
6367bb9a33172f4c6b691763308f094cac118f34047af8e4f08cf011b871048e8a1f28ba73f464b2eb9f2f6d9cf1805b81262e3e6a86c0c105661140013d486e
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8QkgnYHfQlAY:o68i3odBiTl2+TCU/pk8KfQlE8
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" b249c3b71582873b624c95ca35749e4c.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\SHARE_TEMP\Icon13.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon14.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon2.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon7.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon3.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon10.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon12.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\winhash_up.exez b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\winhash_up.exe b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon5.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\bugMAKER.bat b249c3b71582873b624c95ca35749e4c.exe File opened for modification C:\Windows\winhash_up.exez b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon6.ico b249c3b71582873b624c95ca35749e4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2604 2272 b249c3b71582873b624c95ca35749e4c.exe 28 PID 2272 wrote to memory of 2604 2272 b249c3b71582873b624c95ca35749e4c.exe 28 PID 2272 wrote to memory of 2604 2272 b249c3b71582873b624c95ca35749e4c.exe 28 PID 2272 wrote to memory of 2604 2272 b249c3b71582873b624c95ca35749e4c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD57e8909952d5e1817201f31584fc4cc06
SHA1833558bdebdee2b412d9e6941c89c2607fb2b574
SHA256a2e4a0f4067c5d5be575bb078cba5670744a84b06ddf7a6cf48ed5dd5f138a9b
SHA51210997ef6181227f51aaa2fbe25aab84ddeebf0ac113795149834c1b8297c2244fec9b60ef9ed5b4e993100652d1731070592c68e1366796bc810786571cb6e7a