Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
27/07/2024, 01:39
General
-
Target
7b9d16e07d6d96e64e674b0a46c94580N.exe
-
Size
656KB
-
MD5
7b9d16e07d6d96e64e674b0a46c94580
-
SHA1
f0421b0c13dd924b6743944e400acd3c0044f7d5
-
SHA256
3fc99ab4ae6cd0e09ae7b63eaf34221d4464ff9eccbaa42f0eda00a3031d4bc0
-
SHA512
0a188f13c631aa9783f33e7061d89af3fd59c85618611c4a0e321861bf6e6dcf17fb9963fd1d0b1575eb880ccebe7668818ca5eefd295b8325084c4c9f5c25bb
-
SSDEEP
12288:7tKe6Zv23YLVFhBsC8iFHSs7xPY1f6HriPwU8mNCZQUEdsaj1k2CC9md:v6Zv2ivhBVnFys7xP86LkRCQsau2Y
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 1 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b9d16e07d6d96e64e674b0a46c94580N.exe"C:\Users\Admin\AppData\Local\Temp\7b9d16e07d6d96e64e674b0a46c94580N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\spoolsv.exeC:\Windows\spoolsv.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5b2eebf773c0473579ec141e78f5681cf
SHA1fb6664e9fc3c9c76c7c67c39673ae6b1d2643d27
SHA256157d94b2f3d0934d80c181596f5f890087a420bb0095bfee542277055764e36f
SHA512616e1ddf5ab0c47d126b1f392fe20e0fa875ae7a6a59670ae456ef1db12df46d15632f6fea0ce887cc6ca7ffb8c2c185ff06ddaa0ad6e1cd4237a8357f863bce
-
Filesize
660KB
MD5effe14e6424e7839a121eefb0e522030
SHA1b8880ba51bddba5740583968a3865c81007b6146
SHA2567e167eaccaff8b5979257461792511d40897c5a814d865eaa8caf2d5d32565db
SHA512bad6e0a5970c49edfad11fa65e18f38bac23af2377553db5ffcc556a8beaa20bb6f7fa1d3615d4b2eaa2f5e68740b49427158f87637138b90c066fd28ca51cb2
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB