Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
061d0c491d5c672cec51c3e499e3cb60N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
061d0c491d5c672cec51c3e499e3cb60N.exe
Resource
win10v2004-20240709-en
General
-
Target
061d0c491d5c672cec51c3e499e3cb60N.exe
-
Size
436KB
-
MD5
061d0c491d5c672cec51c3e499e3cb60
-
SHA1
39a52fdd2b769ed9217ce6b08f9bd2ef44149418
-
SHA256
74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79
-
SHA512
b003edaed30bb45b25772bf06564d11f7db751b6528dae1e762f4d5f0b6cbd02f18b132459a3a7b23a81687d0aff71dadae2e96c86c200cec837f99cf6de951c
-
SSDEEP
3072:sgsCs5apuKRZZ5AyFZG8iJAXnZqRhvQO3V+lzs+B0MwXMAsYmpmd/h1:sgE5awKTgyFZG8iCnZq3vXf80MUmpmr1
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2968 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2364 wininit32.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\wininit32.exe 061d0c491d5c672cec51c3e499e3cb60N.exe File opened for modification C:\Windows\SysWOW64\wininit32.exe 061d0c491d5c672cec51c3e499e3cb60N.exe File created C:\Windows\SysWOW64\wininit32.exe wininit32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 061d0c491d5c672cec51c3e499e3cb60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2364 wininit32.exe 2364 wininit32.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2364 wininit32.exe 2364 wininit32.exe 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe 2364 wininit32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2364 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 30 PID 2036 wrote to memory of 2364 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 30 PID 2036 wrote to memory of 2364 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 30 PID 2036 wrote to memory of 2364 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 30 PID 2036 wrote to memory of 2968 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 31 PID 2036 wrote to memory of 2968 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 31 PID 2036 wrote to memory of 2968 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 31 PID 2036 wrote to memory of 2968 2036 061d0c491d5c672cec51c3e499e3cb60N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\wininit32.exeC:\Windows\system32\wininit32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\r2782.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237B
MD52b9d4cdc909230010b3cf502ed159a7b
SHA1d025303e0af296a8a153359cd225cd636218e1a5
SHA2566136f5b698f6496f655a10c0b8d65cab7740ae1e2f2e5541fbde5f2443d5a58c
SHA512db0ac5d388f7002ab7b0345dc0665bf94d620de2531f778ff46d627e8707349c1c6f03917d28b0b6ea17bb0717414d8c0df9199b2f7bd735afaabb125fb812db
-
Filesize
450KB
MD538262b884556218bf65b526ac8cd22fb
SHA1bf775fd1f9da86c914193689ce7e82a3102260b1
SHA256dc8b0f9f6095b5d7d63ee034ad0a648b79d4eea2cc58ea1041e35215c57480b8
SHA512cddb65591c7ce575d555cbaaf5c23b891d7c855d6013c99db305812fff784c92947af734d755f33ba81e47f86b62be31b32184f0403ee7d0937266494fa60f7f