Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 02:10
Behavioral task
behavioral1
Sample
608baf276843388a72352e8644e2f780N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
608baf276843388a72352e8644e2f780N.exe
Resource
win10v2004-20240709-en
General
-
Target
608baf276843388a72352e8644e2f780N.exe
-
Size
41KB
-
MD5
608baf276843388a72352e8644e2f780
-
SHA1
2feb2b8bad00f85d90bc7771274096771eda8aa7
-
SHA256
e99234362a42f0fa1010f345ef0ae37d467c37283613c97b2e93fd6faf3143dd
-
SHA512
b897601bd52224036f42551fed648438c868cad4857dca085024836491de277096bfd272dee576766a49279402e6ef649245313e5fc30058a4dac56d95aca16b
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2784 services.exe -
resource yara_rule behavioral1/memory/2692-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x0008000000016dc7-6.dat upx behavioral1/memory/2784-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-36-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-41-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-42-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0038000000016d46-52.dat upx behavioral1/memory/2692-60-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-61-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-64-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-65-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-69-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-70-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-72-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2692-76-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-77-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 608baf276843388a72352e8644e2f780N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 608baf276843388a72352e8644e2f780N.exe File created C:\Windows\services.exe 608baf276843388a72352e8644e2f780N.exe File opened for modification C:\Windows\java.exe 608baf276843388a72352e8644e2f780N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2784 2692 608baf276843388a72352e8644e2f780N.exe 31 PID 2692 wrote to memory of 2784 2692 608baf276843388a72352e8644e2f780N.exe 31 PID 2692 wrote to memory of 2784 2692 608baf276843388a72352e8644e2f780N.exe 31 PID 2692 wrote to memory of 2784 2692 608baf276843388a72352e8644e2f780N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe"C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5978bf245aa16a2437428c26d51e786b3
SHA125a67426625de10c559a911fd387198115ab9575
SHA2565fd493ea2dc685e0e6ecc2b872ce951d6b2a2ea2f0657fe0ad5b445a39f0b476
SHA512f72cd250bc31a3a91a672ecdb933263cbaa078026ffd9fbe4e50d67a428b6497ec9d2436ac0c9995a5b8abcdd22068b4dc85bbf4758ef29fe33a23e53ff8d7b0
-
Filesize
128B
MD550000572fdb95a5a515de3526eb08137
SHA11f7e2e264f50076d7c347028925fd17b0b2810c6
SHA2565d52f86f9076dd36a28aa5d659ac2e8d789ad76001810f325969aeb847f6e338
SHA512c4cf48d9c9dd3fecd3bebcf8538462918b111563565194cfb555c6ad488d665237da688bfe6b5f4dc35b4a9ecbb4f303155fdf1523b6b4ff1037286f7a488739
-
Filesize
12KB
MD51506aac570bc71bad0679cf90454f0a7
SHA1873ee52cfdf41c3680a946638847980f33af578b
SHA2560b0432eaf38ec03d84fda40ae13b1c13b22bbad1800d3923780c0605ba141856
SHA512b3efb72214c64a085e88583184261f37a16b37cbb846fef8cd7828f4803b0f3efe4b1c77b7df593179b783a780411f57d06c48cbf62e21cba0664e08516ac72f
-
Filesize
160B
MD56dd97d36a1c51aa047ba57a2d4e18b3c
SHA1a9733d9bc5c27ca996a9dce7614bef5a50d60aa0
SHA256b067785797c7e7a7bb8322a45dd7eca73ca3de59a2bd96a24eb5cc54be8e9a2e
SHA5127948770672ad00caf7846d3fc4f3b1db92d99b9cd0f9b24c3e691aa24229a426b0fe7bc71c11030bab699ffbf246afd84ec63bfd09949f651c5cdbc115e4dd18
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2