Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 04:12
Behavioral task
behavioral1
Sample
8edc229276235f28da6a7c4badbef360N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8edc229276235f28da6a7c4badbef360N.exe
Resource
win10v2004-20240709-en
General
-
Target
8edc229276235f28da6a7c4badbef360N.exe
-
Size
11KB
-
MD5
8edc229276235f28da6a7c4badbef360
-
SHA1
d31e42f6895b6b18229374f5616586fb36b24862
-
SHA256
b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64
-
SHA512
ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a
-
SSDEEP
192:y5085ewGKJM3+CKPJXV1CGgNMIGIV/4zM/i/rH2Y0u2tbOVhHNMAPabg:y5fHBl1mxGIVg+KHf8aVhtMA4g
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 2660 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2980 jolinosk.exe -
Loads dropped DLL 2 IoCs
pid Process 2076 8edc229276235f28da6a7c4badbef360N.exe 2076 8edc229276235f28da6a7c4badbef360N.exe -
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x0008000000015e21-3.dat upx behavioral1/memory/2980-13-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2076-12-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\jolinos.dll 8edc229276235f28da6a7c4badbef360N.exe File created C:\Windows\SysWOW64\jolinosk.exe 8edc229276235f28da6a7c4badbef360N.exe File opened for modification C:\Windows\SysWOW64\jolinosk.exe 8edc229276235f28da6a7c4badbef360N.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8edc229276235f28da6a7c4badbef360N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2980 2076 8edc229276235f28da6a7c4badbef360N.exe 30 PID 2076 wrote to memory of 2980 2076 8edc229276235f28da6a7c4badbef360N.exe 30 PID 2076 wrote to memory of 2980 2076 8edc229276235f28da6a7c4badbef360N.exe 30 PID 2076 wrote to memory of 2980 2076 8edc229276235f28da6a7c4badbef360N.exe 30 PID 2076 wrote to memory of 2660 2076 8edc229276235f28da6a7c4badbef360N.exe 32 PID 2076 wrote to memory of 2660 2076 8edc229276235f28da6a7c4badbef360N.exe 32 PID 2076 wrote to memory of 2660 2076 8edc229276235f28da6a7c4badbef360N.exe 32 PID 2076 wrote to memory of 2660 2076 8edc229276235f28da6a7c4badbef360N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe"C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\jolinosk.exeC:\Windows\system32\jolinosk.exe ˜‰2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD56a345be9d1966844cb2042d0a47232a0
SHA1ad78b71ec1d8b68beb3143285deae44f874b24d7
SHA2569e5e9ab9ab69bcf3e2bb43d96ce520550815133e6463e87fea288effcc2232e1
SHA5122feeded17883523b517fdd073b4af97c2fcc974a4b4358787f6f5b37bea26363271b5419eb0a15640e453d13e20c18b64b57949d3cddf2cc7bdc2e0c51c92882
-
Filesize
11KB
MD58edc229276235f28da6a7c4badbef360
SHA1d31e42f6895b6b18229374f5616586fb36b24862
SHA256b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64
SHA512ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a