Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:05
Behavioral task
behavioral1
Sample
e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe
Resource
win10v2004-20240508-en
General
-
Target
e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe
-
Size
134KB
-
MD5
47c44a060f6302aa7e72753c8648b805
-
SHA1
da9df6328aefc3424699a2264495f7302f54b3fa
-
SHA256
e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99
-
SHA512
1ed3606760f1dde40ef04f15c49377e96c13e718b26a5fbf65aad568d4626d4834bec5321247854d93fdb01ed9cf040f7a91cb34808dd21e06066dd19f4f48f7
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qs:riAyLN9aa+9U2rW1ip6pr2At7NZuQs
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral1/memory/2008-0-0x0000000001020000-0x0000000001048000-memory.dmp UPX behavioral1/files/0x0009000000014a55-2.dat UPX behavioral1/memory/2008-4-0x0000000000160000-0x0000000000188000-memory.dmp UPX behavioral1/memory/2008-7-0x0000000001020000-0x0000000001048000-memory.dmp UPX behavioral1/memory/2196-8-0x0000000001340000-0x0000000001368000-memory.dmp UPX behavioral1/memory/2008-9-0x0000000001020000-0x0000000001048000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2196 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 2008 e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe -
resource yara_rule behavioral1/memory/2008-0-0x0000000001020000-0x0000000001048000-memory.dmp upx behavioral1/files/0x0009000000014a55-2.dat upx behavioral1/memory/2008-4-0x0000000000160000-0x0000000000188000-memory.dmp upx behavioral1/memory/2008-7-0x0000000001020000-0x0000000001048000-memory.dmp upx behavioral1/memory/2196-8-0x0000000001340000-0x0000000001368000-memory.dmp upx behavioral1/memory/2008-9-0x0000000001020000-0x0000000001048000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2196 2008 e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe 28 PID 2008 wrote to memory of 2196 2008 e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe 28 PID 2008 wrote to memory of 2196 2008 e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe 28 PID 2008 wrote to memory of 2196 2008 e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe"C:\Users\Admin\AppData\Local\Temp\e995a6b93ba71a4aab578796f52db018c813fa1db317a45694c1b38e20f8db99.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD58d5dbd3cd23449b6b04dfca299c74b62
SHA145cc97f75e1f447b8e2237e77deb30ac8d4950fa
SHA2560a132cc112fc1777ca2d44064db1be967c5c51e5a07e0e9b5dcba9d9fc8d7757
SHA512520d1e0a18fa6e53e18ab41cd0c0d29d31256ffdb7bb535d74e58d196032b2a3117538b9b6fb8d8d2d45dc9831b25c001936e5ae614d7cfc9fd2efba9ac79948