Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
e232399ba45ac62a06158ea55e764769.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e232399ba45ac62a06158ea55e764769.exe
Resource
win10v2004-20240226-en
General
-
Target
e232399ba45ac62a06158ea55e764769.exe
-
Size
1.2MB
-
MD5
e232399ba45ac62a06158ea55e764769
-
SHA1
953aea3af528492fa0464ee6a198a969fe2ef9a7
-
SHA256
c25d53b46bb85b9b81f140617cad54bba438e64072f5653bc85b62083306a7b1
-
SHA512
36c80858c0ac66d09bf2428eba92d17cc862cfe81a90465931711333981f3333425d2767350c246fddf4cb9f7eb65cc7c7b5952951094b697ad8210beda9eed1
-
SSDEEP
24576:IoqJ4jpebQRLI/bwKlVYswxTI95QnyOujfJzTKUckm8O3bb:IoqJ4jpsQkwKlFwxU95QnyOujrcGW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2548 install_msgskinner.exe -
Loads dropped DLL 6 IoCs
pid Process 812 e232399ba45ac62a06158ea55e764769.exe 2548 install_msgskinner.exe 2548 install_msgskinner.exe 2548 install_msgskinner.exe 2548 install_msgskinner.exe 2548 install_msgskinner.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\pack.epk e232399ba45ac62a06158ea55e764769.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x000f000000015c8a-10.dat nsis_installer_1 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2548 install_msgskinner.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27 PID 812 wrote to memory of 2548 812 e232399ba45ac62a06158ea55e764769.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\e232399ba45ac62a06158ea55e764769.exe"C:\Users\Admin\AppData\Local\Temp\e232399ba45ac62a06158ea55e764769.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\temp\install_msgskinner.exe"C:\Windows\temp\install_msgskinner.exe" "/LICFILE=C:\Windows\temp\license.dat" "/MC=C:\Windows\system32\caqoecbpec.exe" "/MCPARAMS=INSTALL:5029564|77|VGOOGB3955921*0.0.47337.1*15|6"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700B
MD5c76cf064b6d2e418c2a95ed2fa5ac2d1
SHA184309d3ed4b64424999e7bc36fddeea9e6779c0a
SHA2569720a9254882508ab9cccb066cf358a5fd6ce94e04caf31a3928b05ce553f52c
SHA512582d117c0a4968d78006b482118df6b4d74647c8ca3045c9771750454a9c28cd9565dc9b5a865ade8c095d4971fa46bcbe37b3e11a02f7d7a22296c1da024014
-
Filesize
713B
MD5d70587bae08352aa5d3e3bd7b9d3ef32
SHA16b994ad152e8def7ff4798804796c849ade9c30f
SHA2562ade56efdd035345f6f11971d676da2c708f4b6c3fd5619001ca5cea033f7a72
SHA512fe042b55560cbe37cea0b3d2050929630da04d8eca0fbb6ad9fc5fea5e888e525d1f984319ce5273b522ec3bea5bc68db178a304d4e1e281a7c91f1acee6b639
-
Filesize
739B
MD5017551658d953cdceb9cd86f08be9a4e
SHA1e1ab3709f4781b490ac40d565860283ab0622d90
SHA256293210b32ff39f7cd418bb3622f3bb642ec50adcad36718254466d4a0616ed42
SHA512cd6ec7ea664e68f57da455c24cfccf938c7232872837b08b4e16da8dd4931f49e1725319827e6bb055ee34c1bcf37ddb4c86850e05006bb9b1639dcb309dd84e
-
Filesize
12KB
MD5d61d6c709e7947296603059f8bedeba9
SHA1bdcfc90c358c82be43ef85727a7bdfebbd6d1b69
SHA25665012a46603b7e13807938e2a61f3c2a60cced3fb3187dfab3e391705e2c3f63
SHA512ed5a6efd1dd5e2119a9c523b9f9154e13552b3538bf72f4b8b02d6a9c808c3ae2ba7613d9e2b3395237461703f2da0a1482a52727ffcf6fc967552390dab0f2b
-
Filesize
5KB
MD58be27f3bdec2b49d0a6a674716622304
SHA170d17db576ed484a4c0195571118d307fd4dc1b9
SHA2564fe0a8391574867d8bdc6fb33555d90e02796563f02d1e6536acc3294a85bd47
SHA512add9f37dd0d7a27f19d172c82599a79d049385c12cdfb78745ce2b0685ecea8f85c718bd62ecd671bbed949529429500853534b63226809e707ad3745a8fc801
-
Filesize
922KB
MD5f1da621246700a7c6e305cd0729402ae
SHA1e355def95bb8d886ceaaa97098608fcf0cb554f9
SHA256f032c0b30f554b65ad2aaa21cdd92e1e44a3948e58d81fe7226d997ca348fbb5
SHA512723ea53e78b8bcb1f44aaef10455a75fd275062c56d6cf667b56e876fd1de5af7fda866e71535d3b7e513a117a9aaa683e19d7b5f7e052bd6a8688a22cdc5a72