Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
defc129e02f7491018870c51036bf597.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
defc129e02f7491018870c51036bf597.exe
Resource
win10v2004-20231215-en
General
-
Target
defc129e02f7491018870c51036bf597.exe
-
Size
132KB
-
MD5
defc129e02f7491018870c51036bf597
-
SHA1
9e01c5137ba14916c30250f6cf522b36a187b6ff
-
SHA256
13a56059ac7409f978090af2a11e59bacb66f1e01f7529e5cf2fc1d366155a05
-
SHA512
23ccd8e3e7bec9fb093f974524fdf410e7231e345fab5a0a97308b1b7e88e78b78d764b54c5c42962b2d0f62bcb40003940638f61c39d2f1dfc26f33b675680a
-
SSDEEP
3072:twxVMhOC/dTDbq91+mno3t4QZQ3rt8iJk/lE5eu95PGmN4h:tTfFDbRnOTrt5JEE5eu9nN4h
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2632 11.exe -
resource yara_rule behavioral1/memory/2536-4-0x0000000000500000-0x0000000000519000-memory.dmp upx behavioral1/files/0x0009000000012227-6.dat upx behavioral1/memory/2632-7-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2632-39-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main 11.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2632 11.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2632 11.exe 2632 11.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2632 2536 defc129e02f7491018870c51036bf597.exe 27 PID 2536 wrote to memory of 2632 2536 defc129e02f7491018870c51036bf597.exe 27 PID 2536 wrote to memory of 2632 2536 defc129e02f7491018870c51036bf597.exe 27 PID 2536 wrote to memory of 2632 2536 defc129e02f7491018870c51036bf597.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\defc129e02f7491018870c51036bf597.exe"C:\Users\Admin\AppData\Local\Temp\defc129e02f7491018870c51036bf597.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\11.exe"C:\11.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD564adcfa114e90e37770873d5d67163c2
SHA1b3d652aafc8c1129cdca36185c193bab4a73f801
SHA256db4ab3fbade2d12ef5645ee550720243cb5736d931c108a804fa5d383a06a002
SHA5128fafe015a0928277f4f27606c29ba4a5ee882c72b04be7ae40bf2670151006bd9148dc18065126f1d220276c441b0fc6d9e169325ac8629037180bdcac87fa81
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\CNNP97HY.htm
Filesize4KB
MD55a23882669151ee7af9c3061cf648759
SHA1651a31e7eb23f1acc90ddaeee27d97b56d0b4deb
SHA2563df2fb158bdd50759d656d2a2330cf5468b4fa1dd0c0d3df749aeff3fb3c99af
SHA512a15ce527d1c15cdf40ee12fc7686f089a6b67e9b801dc85eb79c2466df3c8cc5cd67b4bc730d22a96071c2b111fc0789e58872e6ab704fd58b7cbe3e7fd8d728