Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240215-en -
submitted
06/03/2024, 00:43
Behavioral task
behavioral1
Sample
win.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
win.exe
Resource
win10v2004-20240226-en
General
-
Target
win.exe
-
Size
6.8MB
-
MD5
0721b1d0c9c68c18116273f2c293ff21
-
SHA1
dac53205b4ba718542138d90eb56f1641f5807b8
-
SHA256
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
-
SHA512
012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
-
SSDEEP
49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX
Malware Config
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
Stealthworker family
-
Contacts a large (4866) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2664 2220 win.exe 28 PID 2220 wrote to memory of 2664 2220 win.exe 28 PID 2220 wrote to memory of 2664 2220 win.exe 28 PID 2220 wrote to memory of 2664 2220 win.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5dace4cfc41d54279f64553161c75d806
SHA1d39661eb638c9a278352de505e26e7b044cc8a02
SHA256ba823dd59d178cf2f905e66fde280f8e23feb0eb1e85d281a99ff487f8f01c37
SHA512512e9a434d5a0af2205531dd796ea6d61a37f006261dc4f52d2911672f7222aa76dcc2cddb65b0fa40fb63e9d04ab0608812fa7b5351505c3e30227441ee23ef