Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe
Resource
win10v2004-20240709-en
General
-
Target
89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe
-
Size
320KB
-
MD5
0aafd40537a281b281bd85efcb2c976b
-
SHA1
d9b7aa59133586c9f885899b0483117500460036
-
SHA256
89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb
-
SHA512
91ff154a67a4462982581e1191f91d0ac10a47b93d339f7f152bb8f97a7eec3f84e97b9a46484fa1165ffa9f9f12200ca11fb4cc814d4ad5743618a15e37ce85
-
SSDEEP
6144:zqgHVf5iIZrJCt6nn01HZLj0DubeeBKjMvtwAOMX2HgzxdQacEdY:zpVBX9JCtJB9w5acH
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Everything = "C:\\Program Files (x86)\\Everything\\Everything.exe" reg.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3012 reg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3004 1768 89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe 30 PID 1768 wrote to memory of 3004 1768 89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe 30 PID 1768 wrote to memory of 3004 1768 89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe 30 PID 1768 wrote to memory of 3004 1768 89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe 30 PID 3004 wrote to memory of 3012 3004 cmd.exe 31 PID 3004 wrote to memory of 3012 3004 cmd.exe 31 PID 3004 wrote to memory of 3012 3004 cmd.exe 31 PID 3004 wrote to memory of 3012 3004 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe"C:\Users\Admin\AppData\Local\Temp\89daf7a9b800a5d38cf93accc70b5f24568aa65353e2c1b44199159a8cf888fb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Everything /t REG_SZ /d "C:\Program Files (x86)\Everything\Everything.exe" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Everything /t REG_SZ /d "C:\Program Files (x86)\Everything\Everything.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3012
-
-