Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23/05/2024, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
Resource
win10v2004-20240508-en
General
-
Target
6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe
-
Size
496KB
-
MD5
8101a283a744c7937666a0263489a781
-
SHA1
481aaf3316caa58e198183948332bb844b28660f
-
SHA256
6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a
-
SHA512
8bd7f80f6f1d2cea386fefff122d01b2f6125bcc426bedf8a5a314fba51f0a4267e70e5be360db6fabdd01e439ac01f490597e64cccad8433ff3fe0fba735cdb
-
SSDEEP
12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiXObU:vDVBADt1ZKlX34U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2152 EXE197A.tmp -
Loads dropped DLL 2 IoCs
pid Process 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2152 EXE197A.tmp 2152 EXE197A.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2152 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe 29 PID 2180 wrote to memory of 2152 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe 29 PID 2180 wrote to memory of 2152 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe 29 PID 2180 wrote to memory of 2152 2180 6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe 29 PID 2152 wrote to memory of 2936 2152 EXE197A.tmp 30 PID 2152 wrote to memory of 2936 2152 EXE197A.tmp 30 PID 2152 wrote to memory of 2936 2152 EXE197A.tmp 30 PID 2152 wrote to memory of 2936 2152 EXE197A.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe"C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\EXE197A.tmp"C:\Users\Admin\AppData\Local\Temp\EXE197A.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM197B.tmp" "C:\Users\Admin\AppData\Local\Temp\6a9c72fafaf43be870c08aaaa1ced4b0289fa435102e26fc14f5d16745dba55a.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5511d84514d1c54647c173a3e4dfb2b69
SHA198a8744f8950ff485669a7f6ce1ef0fa3e0b2d82
SHA2569e02cc7e7d435d5a66e99ef4277247a7c7bae27ebb2b5ccbc79581544c46f12e
SHA51259235b1227f53a791ce745f1b11ba584a89ea44bd027610a8cc2c4f34db27cb4264b51ce4f677c8d860b5932ba26d20fb7c7acffce2f8b10fcce89c397ee74fd
-
Filesize
968KB
MD50f619e7352920d8d21926f2b715e0794
SHA1cdd75d72647b1c75477c069b51b5f8ab5dc63e50
SHA256e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381
SHA512380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae