Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe
Resource
win10v2004-20240709-en
General
-
Target
83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe
-
Size
73KB
-
MD5
8b8bbb597b3f9881c2b5695a0071c085
-
SHA1
22f8332235decb7fbf6015989d40025ccfefc0f7
-
SHA256
83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181
-
SHA512
07ee96c7630f13636b020b014bf3535066c5cddaf13bc0deb2d6300894279365c0ce83b5fd552b913f6876912ab21c04daef3425a6f02195d10f6cbce2fc1231
-
SSDEEP
1536:hbcGAJK5QPqfhVWbdsmA+RjPFLC+e5h10ZGUGf2g:hAXJNPqfcxA+HFsh1Og
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2348 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 3068 cmd.exe 3068 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 904 wrote to memory of 3068 904 83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe 31 PID 904 wrote to memory of 3068 904 83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe 31 PID 904 wrote to memory of 3068 904 83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe 31 PID 904 wrote to memory of 3068 904 83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe 31 PID 3068 wrote to memory of 2348 3068 cmd.exe 32 PID 3068 wrote to memory of 2348 3068 cmd.exe 32 PID 3068 wrote to memory of 2348 3068 cmd.exe 32 PID 3068 wrote to memory of 2348 3068 cmd.exe 32 PID 2348 wrote to memory of 2532 2348 [email protected] 33 PID 2348 wrote to memory of 2532 2348 [email protected] 33 PID 2348 wrote to memory of 2532 2348 [email protected] 33 PID 2348 wrote to memory of 2532 2348 [email protected] 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe"C:\Users\Admin\AppData\Local\Temp\83ed963062205360c492afcf6520d127840e3af15950e82f71a02cec41288181.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 00.exe4⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize73KB
MD5e71434ff5b74a58bf0d6b91b88d19cf2
SHA1a1ce8d1ea980b8ccdcfcdb63bcd17a38c71e3759
SHA25688130d3565c9b0afae6c8122ca6031738ac259d10832a79c3ce9ba71bd7d0f34
SHA512e99bce391cca7de784c9b1c450b287e3c4a779a023e39a76222ea548034bd9d09638051a3afaf54ce9702ee78ee586681f87984b309cae505e60204193c1f4d8