Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 17:00
Behavioral task
behavioral1
Sample
336a38925d9d2876e11b6228c0995ad0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
336a38925d9d2876e11b6228c0995ad0N.exe
Resource
win10v2004-20240704-en
General
-
Target
336a38925d9d2876e11b6228c0995ad0N.exe
-
Size
29KB
-
MD5
336a38925d9d2876e11b6228c0995ad0
-
SHA1
4882c1a3d8d6f0cbd5a51f855315ddad6d3dd504
-
SHA256
35c4d8ce4a5c912d5fc8dadcc5c9e8da675dc2dddeef7086162d2d99db665afe
-
SHA512
e57236833c49a1e23eb03b81577ccc533ae9ed683b9d114d51d9d5bb4decac3555cb900e66e55f1235befe5181d41c2b773a3d215bc98ec63144e4d639dd6462
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/NP:AEwVs+0jNDY1qi/q5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 780 services.exe -
resource yara_rule behavioral1/memory/1232-2-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x00080000000174a8-6.dat upx behavioral1/memory/780-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1232-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/780-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/780-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1232-24-0x0000000000220000-0x0000000000228000-memory.dmp upx behavioral1/memory/780-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/780-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/780-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1232-41-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/780-42-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/780-44-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0004000000004ed7-52.dat upx behavioral1/memory/1232-59-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/780-60-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1232-63-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/780-64-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1232-65-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/780-66-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/780-71-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 336a38925d9d2876e11b6228c0995ad0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 336a38925d9d2876e11b6228c0995ad0N.exe File created C:\Windows\services.exe 336a38925d9d2876e11b6228c0995ad0N.exe File opened for modification C:\Windows\java.exe 336a38925d9d2876e11b6228c0995ad0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 336a38925d9d2876e11b6228c0995ad0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1232 wrote to memory of 780 1232 336a38925d9d2876e11b6228c0995ad0N.exe 30 PID 1232 wrote to memory of 780 1232 336a38925d9d2876e11b6228c0995ad0N.exe 30 PID 1232 wrote to memory of 780 1232 336a38925d9d2876e11b6228c0995ad0N.exe 30 PID 1232 wrote to memory of 780 1232 336a38925d9d2876e11b6228c0995ad0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\336a38925d9d2876e11b6228c0995ad0N.exe"C:\Users\Admin\AppData\Local\Temp\336a38925d9d2876e11b6228c0995ad0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD565f6560921c5b5fd9353957199204016
SHA1b927e15b5fe1b643d6234eb8d89c10d1aa2a5ea9
SHA2567d731f434573ab892b5661db24c5057396bde0f997d33f8cb2d24cd50bd4fc70
SHA512d9a7c05480a41da171eb25e3e346fc995e896d8efd5ddd260a3de5a0bef6ca3f441bf204e62d4210f929fb394855e71d0d9cad486e49f4ae600a802f21d66931
-
Filesize
352B
MD5b377819f04dccf095ad071a5fbc54e16
SHA17adff6d63ddd4a9095878307f5675d15e77ab21b
SHA256aff9f1456044618d57f684a5ebcd900e7114abac329908583094906b8a555c0c
SHA512f379108094c133151b59e7d968f1d5d2d4a3ee749dc84e8a6884660b1d6e2e75df1f96dca01d9326db33a9492473006b1a764a472f0c3b6b47e97b4f04f8cd75
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2