Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
Resource
win10v2004-20240709-en
General
-
Target
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
-
Size
539KB
-
MD5
985d6ab0e9e57850cf7ed9f331ae36a0
-
SHA1
9dcbb36de4f8a99a7ffca73240dedea6ee33fac9
-
SHA256
612daa13770e7ca0f61b173c4a2c9790f7cd8b109bb886f80cb257dfce623451
-
SHA512
803fe1087e1dae4aa4919f3cf7d8f14e69c2d8fb9210600f98151d3a6ccf866bcc459eb8d33ff8922dfa78ca63d89aaf0ca5c1bc23735b4fc518d61e6845e4a9
-
SSDEEP
6144:NYkLWCTxDrF98Oh8P7AEL8IhoM8InI5SQ8R5NTope6S2DtL9xG9QTKhDxfWqr6z1:NYIW0p98Oh8P7h8EJQ8z8eDe9mJxfWZT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2280 3F13.tmp -
Loads dropped DLL 1 IoCs
pid Process 2368 985d6ab0e9e57850cf7ed9f331ae36a0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2808 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2280 3F13.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2808 WINWORD.EXE 2808 WINWORD.EXE 2808 WINWORD.EXE 2808 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2280 2368 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 30 PID 2368 wrote to memory of 2280 2368 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 30 PID 2368 wrote to memory of 2280 2368 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 30 PID 2368 wrote to memory of 2280 2368 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 30 PID 2280 wrote to memory of 2808 2280 3F13.tmp 31 PID 2280 wrote to memory of 2808 2280 3F13.tmp 31 PID 2280 wrote to memory of 2808 2280 3F13.tmp 31 PID 2280 wrote to memory of 2808 2280 3F13.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\3F13.tmp"C:\Users\Admin\AppData\Local\Temp\3F13.tmp" --pingC:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe 292C500829E567148921DCD8ED229A58A4D022143EF8952DD3E34A5AD76F857E5E720AB75C9482A532903B915C4092EFDC8BA4778C4DE3680DAC21BDC83C55222⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
539KB
MD597f4047d20a637bc6be040b914050d94
SHA1a962b5eb11280fb94f3c4c22f61682247247ab39
SHA25658f60746d9a49b8591d9e7319a46c6116bf495a6de94390c673c6b8ae554c11e
SHA5126e63834362da26d2773e46ed593d3ea8b5cc0bb97397bcc6bcb50be6d379e3b3774a786f75cf3bcbf3ff8fdf5061664c3c5ac21e45b493f0d1f954e1104cec2d