Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 22:00

General

  • Target

    5dba7cd17466d25172134642ef4ea7b0N.exe

  • Size

    140KB

  • MD5

    5dba7cd17466d25172134642ef4ea7b0

  • SHA1

    eb96684eeaabd90e868db4961cbb741cc42bc5fd

  • SHA256

    df3d22ad30c3b5a789e6a064a0c2311d88bcf33e001f9889308f13a8160a04dd

  • SHA512

    c2b3d3a9f8b221705b21b1b16fda2984bbe794ed4dd4d98c547e35ba6ad93f60a5341320cf8023d2f57b27d639f1df7e7e6c18162893774563327910448dd0fe

  • SSDEEP

    3072:FC+b/xEwBxygI9vj0AT1smXA3HizrYZ6oXHqBNI5xr:k+LxBxULrsr3CffoXKBy55

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dba7cd17466d25172134642ef4ea7b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5dba7cd17466d25172134642ef4ea7b0N.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2504
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B8141CA4-E1A2-4F94-A42E-8EC2380FB127} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\PROGRA~3\Mozilla\qxyyhdc.exe
      C:\PROGRA~3\Mozilla\qxyyhdc.exe -tljcocn
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\Mozilla\qxyyhdc.exe

    Filesize

    140KB

    MD5

    fc35ee2cbe057e7c6975c3f352d2ff24

    SHA1

    6954f6ef4cebd62c98b2792f1ebb973c6b07bfe3

    SHA256

    c64f746d1e41d90445ac7e4d4933c930c29756c8e5439c954f9037812004796e

    SHA512

    084626d8d36d677deeee3a416a59b83fa953e7738bf7741329a261c1f053026f615d81848bf346e9c3b262020630a7477a11df73c49a4c107d37b8af2e23cdc5

  • memory/1112-14-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1112-12-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1112-11-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1112-13-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1112-17-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1112-19-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-3-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-2-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-6-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-8-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2504-1-0x0000000000401000-0x0000000000403000-memory.dmp

    Filesize

    8KB