Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
ebe43597656b129ec30f3b81688d48c0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ebe43597656b129ec30f3b81688d48c0N.exe
Resource
win10v2004-20240709-en
General
-
Target
ebe43597656b129ec30f3b81688d48c0N.exe
-
Size
208KB
-
MD5
ebe43597656b129ec30f3b81688d48c0
-
SHA1
697a62161825f9c761621dfa4075372292c0f798
-
SHA256
268d5097cf3423f5aa8397512c98842af563acc36ad71663a7f1770b5d94c8de
-
SHA512
60dfc81e8b459d7e842a1503270f13f6833b386aef34b6f8f52b1c30068f2b5f5b45a42a2ca9e2e622701f150460b1eea75aa09ebc7e04b5aab6f88c768cdcf0
-
SSDEEP
3072:lGPFazIFjShsKSL27AfW+vald9FM1foaskhZcAE5MFxzC/zP4H4fjm5osl/9PYFO:lGtaEJFKSVva9FM1tD5LQEj9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2408 FXJNXJC.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\windows\FXJNXJC.exe ebe43597656b129ec30f3b81688d48c0N.exe File opened for modification C:\windows\FXJNXJC.exe ebe43597656b129ec30f3b81688d48c0N.exe File created C:\windows\FXJNXJC.exe.bat ebe43597656b129ec30f3b81688d48c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2180 ebe43597656b129ec30f3b81688d48c0N.exe 2180 ebe43597656b129ec30f3b81688d48c0N.exe 2408 FXJNXJC.exe 2408 FXJNXJC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2180 ebe43597656b129ec30f3b81688d48c0N.exe 2180 ebe43597656b129ec30f3b81688d48c0N.exe 2408 FXJNXJC.exe 2408 FXJNXJC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2344 2180 ebe43597656b129ec30f3b81688d48c0N.exe 31 PID 2180 wrote to memory of 2344 2180 ebe43597656b129ec30f3b81688d48c0N.exe 31 PID 2180 wrote to memory of 2344 2180 ebe43597656b129ec30f3b81688d48c0N.exe 31 PID 2180 wrote to memory of 2344 2180 ebe43597656b129ec30f3b81688d48c0N.exe 31 PID 2344 wrote to memory of 2408 2344 cmd.exe 33 PID 2344 wrote to memory of 2408 2344 cmd.exe 33 PID 2344 wrote to memory of 2408 2344 cmd.exe 33 PID 2344 wrote to memory of 2408 2344 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebe43597656b129ec30f3b81688d48c0N.exe"C:\Users\Admin\AppData\Local\Temp\ebe43597656b129ec30f3b81688d48c0N.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\FXJNXJC.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\windows\FXJNXJC.exeC:\windows\FXJNXJC.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5207eeda33ddc7c411a8dd8325cdb513d
SHA1844fce8329adf997b2c3dd7756557811dfb64535
SHA256f00986d2044dbd8059779bc5d64d56407c768760d93dbcd3804f9634fe6ebb38
SHA51264186ece210b62920ff91044b644c886181069b8ac04245552898f8a0de6c8072f71c4dab02c9629bbf0b92520b79dcc1e4ef1d7317c971c5c28ac510df20d7d
-
Filesize
208KB
MD5f102b1ee4b9a80f97041cc65bc328464
SHA1e5e73a06e0b446061dba1195482c13adbd99f921
SHA2569d2b99a2e93d6b116796aaf4e69bf23247d0c17c832ec634b2145930fd541540
SHA5128e3c2c731073b14875980a0f7727fc97f0e289bb94155959bdbed371d5c5485edd0d5a72699fa5369be53c3334c5ab85704bab7904cd8a69700e76a45a2de4fe