Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 21:01
Static task
static1
Behavioral task
behavioral1
Sample
6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe
Resource
win10v2004-20240319-en
General
-
Target
6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe
-
Size
244KB
-
MD5
d9463698a38cabb0a2f1cca42353b6fb
-
SHA1
fddace5995e8417bf25249997c705866260a9947
-
SHA256
6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1
-
SHA512
c94abcb26739f301e07f1b995abba3cd1701f504e8270d8be2f11bce64af2cbf886c867783d404488f698da22a9c7451e51a5e1446ee737002104bee018d96d3
-
SSDEEP
3072:Y969UjrL5vSfmA1m6FtMeYxo4XkaS0Fa2jhjiOC5prhYPTDlnu:YUUTxSfm76FsXkyN1iOYhElu
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2552 nhadrjb.exe -
Loads dropped DLL 3 IoCs
pid Process 2552 nhadrjb.exe 2552 nhadrjb.exe 2552 nhadrjb.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\nhadrjb.exe 6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe File created C:\PROGRA~3\Mozilla\mrcfdgn.dll nhadrjb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1256 6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe 2552 nhadrjb.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29 PID 2148 wrote to memory of 2552 2148 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe"C:\Users\Admin\AppData\Local\Temp\6e16cd5a2af0e9bf4416b71a1442c84aad9a3bd5f8c0b92f4234aad9783514d1.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1256
-
C:\Windows\system32\taskeng.exetaskeng.exe {25528F09-10F2-4514-A8D6-36912441C460} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\PROGRA~3\Mozilla\nhadrjb.exeC:\PROGRA~3\Mozilla\nhadrjb.exe -giukxrm2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD5fc68e37628c6935e8dcb890e0dc50fcd
SHA1b2511c02b23f7d97a5b331d25e3f3f8c6cf42b16
SHA256a1b302bb48b17b4f55d79d4ce79c5374e7c8df5d2440bb6660415e2a2aafcbb2
SHA5126ef387c04a07786789f6398905a1bc91eb0e76672f4870bcc0e5ba6f85ed3367aecb4f808f805b0d0192305dd28f6c22f174cd78bc876c27abf74576c6a7abd3