Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
5dba7cd17466d25172134642ef4ea7b0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5dba7cd17466d25172134642ef4ea7b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
5dba7cd17466d25172134642ef4ea7b0N.exe
-
Size
140KB
-
MD5
5dba7cd17466d25172134642ef4ea7b0
-
SHA1
eb96684eeaabd90e868db4961cbb741cc42bc5fd
-
SHA256
df3d22ad30c3b5a789e6a064a0c2311d88bcf33e001f9889308f13a8160a04dd
-
SHA512
c2b3d3a9f8b221705b21b1b16fda2984bbe794ed4dd4d98c547e35ba6ad93f60a5341320cf8023d2f57b27d639f1df7e7e6c18162893774563327910448dd0fe
-
SSDEEP
3072:FC+b/xEwBxygI9vj0AT1smXA3HizrYZ6oXHqBNI5xr:k+LxBxULrsr3CffoXKBy55
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 1112 qxyyhdc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\qxyyhdc.exe 5dba7cd17466d25172134642ef4ea7b0N.exe File created C:\PROGRA~3\Mozilla\qidkayh.dll qxyyhdc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qxyyhdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dba7cd17466d25172134642ef4ea7b0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1112 1920 taskeng.exe 31 PID 1920 wrote to memory of 1112 1920 taskeng.exe 31 PID 1920 wrote to memory of 1112 1920 taskeng.exe 31 PID 1920 wrote to memory of 1112 1920 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dba7cd17466d25172134642ef4ea7b0N.exe"C:\Users\Admin\AppData\Local\Temp\5dba7cd17466d25172134642ef4ea7b0N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2504
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8141CA4-E1A2-4F94-A42E-8EC2380FB127} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\PROGRA~3\Mozilla\qxyyhdc.exeC:\PROGRA~3\Mozilla\qxyyhdc.exe -tljcocn2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5fc35ee2cbe057e7c6975c3f352d2ff24
SHA16954f6ef4cebd62c98b2792f1ebb973c6b07bfe3
SHA256c64f746d1e41d90445ac7e4d4933c930c29756c8e5439c954f9037812004796e
SHA512084626d8d36d677deeee3a416a59b83fa953e7738bf7741329a261c1f053026f615d81848bf346e9c3b262020630a7477a11df73c49a4c107d37b8af2e23cdc5