Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
c2e96de70e518631646a16154cd2dab8.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c2e96de70e518631646a16154cd2dab8.exe
Resource
win10v2004-20240226-en
General
-
Target
c2e96de70e518631646a16154cd2dab8.exe
-
Size
80KB
-
MD5
c2e96de70e518631646a16154cd2dab8
-
SHA1
899de7a75187996ecc2e1cbe58c38c010dd57692
-
SHA256
cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34
-
SHA512
76b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c
-
SSDEEP
768:cDI8ys6q0TMm1zJHZ+GaBb2Vxit/vqJevfoJ6DVSLKvomVWdXW7X4sn:cDk1zH3cHBb2VxUcpKVSLChVWdXi
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN6.1 Auto-Updater = "v6msn.exe" c2e96de70e518631646a16154cd2dab8.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\v6msn.exe c2e96de70e518631646a16154cd2dab8.exe File opened for modification C:\Windows\SysWOW64\v6msn.exe c2e96de70e518631646a16154cd2dab8.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1640 set thread context of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28 PID 1640 wrote to memory of 2856 1640 c2e96de70e518631646a16154cd2dab8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\v6msn.exe"C:\Windows\system32\v6msn.exe"3⤵PID:2716
-
C:\Windows\SysWOW64\v6msn.exe"C:\Windows\SysWOW64\v6msn.exe"4⤵PID:2512
-
C:\Windows\SysWOW64\v6msn.exe"C:\Windows\system32\v6msn.exe"5⤵PID:776
-
C:\Windows\SysWOW64\v6msn.exe"C:\Windows\SysWOW64\v6msn.exe"6⤵PID:2316
-
C:\Windows\SysWOW64\v6msn.exe"C:\Windows\system32\v6msn.exe"7⤵PID:2436
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵PID:2312
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵PID:2300
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵PID:2192
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵PID:1692
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul5⤵PID:2964
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵PID:2696
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵PID:2420
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵PID:2804
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵PID:2532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2E96D~1.EXE > nul3⤵PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5c2e96de70e518631646a16154cd2dab8
SHA1899de7a75187996ecc2e1cbe58c38c010dd57692
SHA256cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34
SHA51276b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c
-
Filesize
3KB
MD5a3ba37f0afdc1fd9a69f4f44cdbc26e1
SHA15d667022420623974407a1157933b08c52e72d2c
SHA2566d63d07049c5eeae2802b8fd9f4294e8a4620643dca5e6c4dbe1d0c09e60a4c5
SHA512edf6413cf88bb1b5e7e5e04cc1f786ab934f41a18abd85dc77456f282be83f828559e09727f2b97fa2a50c46c95190b610c2cf28db24bdd7112d71a4a33826e8