Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 04:12

General

  • Target

    8edc229276235f28da6a7c4badbef360N.exe

  • Size

    11KB

  • MD5

    8edc229276235f28da6a7c4badbef360

  • SHA1

    d31e42f6895b6b18229374f5616586fb36b24862

  • SHA256

    b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64

  • SHA512

    ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a

  • SSDEEP

    192:y5085ewGKJM3+CKPJXV1CGgNMIGIV/4zM/i/rH2Y0u2tbOVhHNMAPabg:y5fHBl1mxGIVg+KHf8aVhtMA4g

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe
    "C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\jolinosk.exe
      C:\Windows\system32\jolinosk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:2980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe.bat

    Filesize

    184B

    MD5

    6a345be9d1966844cb2042d0a47232a0

    SHA1

    ad78b71ec1d8b68beb3143285deae44f874b24d7

    SHA256

    9e5e9ab9ab69bcf3e2bb43d96ce520550815133e6463e87fea288effcc2232e1

    SHA512

    2feeded17883523b517fdd073b4af97c2fcc974a4b4358787f6f5b37bea26363271b5419eb0a15640e453d13e20c18b64b57949d3cddf2cc7bdc2e0c51c92882

  • \Windows\SysWOW64\jolinosk.exe

    Filesize

    11KB

    MD5

    8edc229276235f28da6a7c4badbef360

    SHA1

    d31e42f6895b6b18229374f5616586fb36b24862

    SHA256

    b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64

    SHA512

    ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a

  • memory/2076-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2076-11-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB

  • memory/2076-10-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB

  • memory/2076-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2076-16-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB

  • memory/2980-13-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB