Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 00:58
Static task
static1
Behavioral task
behavioral1
Sample
71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
Resource
win10v2004-20240730-en
General
-
Target
71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
-
Size
73KB
-
MD5
854edf3fec36c85e8927c2885f1ba99d
-
SHA1
eb64395e88074638ededf5050a94d4b664089660
-
SHA256
71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444
-
SHA512
65d96c45888ebfb0ab8097cc8b1694e25773626e8eafb1423fc262c0a508877f4d33bf80870faedc28c36a69c0509e00654cceb13d5ded38a78793fb77534120
-
SSDEEP
1536:hbXzeDY4a/DcK5QPqfhVWbdsmA+RjPFLC+e5h+0ZGUGf2g:hDzeDMcNPqfcxA+HFsh+Og
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2420 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 2220 cmd.exe 2220 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1040 wrote to memory of 2220 1040 71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe 31 PID 1040 wrote to memory of 2220 1040 71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe 31 PID 1040 wrote to memory of 2220 1040 71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe 31 PID 1040 wrote to memory of 2220 1040 71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe 31 PID 2220 wrote to memory of 2420 2220 cmd.exe 32 PID 2220 wrote to memory of 2420 2220 cmd.exe 32 PID 2220 wrote to memory of 2420 2220 cmd.exe 32 PID 2220 wrote to memory of 2420 2220 cmd.exe 32 PID 2420 wrote to memory of 1692 2420 [email protected] 33 PID 2420 wrote to memory of 1692 2420 [email protected] 33 PID 2420 wrote to memory of 1692 2420 [email protected] 33 PID 2420 wrote to memory of 1692 2420 [email protected] 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe"C:\Users\Admin\AppData\Local\Temp\71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 00.exe4⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize73KB
MD56a15f931471bbb6cff915c6185f086cb
SHA180f2679b2ced214b50dbef65a16f0afb5172105d
SHA25603655d68af755c395d5d3a5b7e096db66072d855123ecec5b1f0b84e5db06d99
SHA51229ea65cf5e29fd5c4b9a175d1ecd8c4c4063791e2747d3b6a00e8ea8203ad24d44c959d0a3a214b021bb78caf882e55aaf824d655249d752075a04c20face8d0