Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
3ff37570833246feca450570b488af90N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3ff37570833246feca450570b488af90N.exe
Resource
win10v2004-20240730-en
General
-
Target
3ff37570833246feca450570b488af90N.exe
-
Size
57KB
-
MD5
3ff37570833246feca450570b488af90
-
SHA1
b65787d1914bf58afcc604a38ea2b7dc6f5bd8a8
-
SHA256
9f4d93da633a2b25b0fd5a2a37ce120499ce6d94b4bd8c688bd015b504a930ab
-
SHA512
7cd9b4f767f45f1192b064bfea51fa6009351cfa0f98f72614da5dabfdc0615a8236eec1b94004de8ed269fb2c7882ced80b76887af439cc71dd5e51b2ecf5d8
-
SSDEEP
384:asjPGY2HXgrkEYYhQ98E8I1XAV/QcaYpATUgch1A9NB/erxFpkM:aePG5H8XhKD8ISZQjkgs1lxFj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1148 winupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 3ff37570833246feca450570b488af90N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ff37570833246feca450570b488af90N.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 winupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 winupdate.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30 PID 3056 wrote to memory of 1148 3056 3ff37570833246feca450570b488af90N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff37570833246feca450570b488af90N.exe"C:\Users\Admin\AppData\Local\Temp\3ff37570833246feca450570b488af90N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\winupdate.exe"C:\Users\Admin\AppData\Local\Temp\winupdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5a010ec7ca8d3dcc199af2352870f2e42
SHA1bbb93ffe66f3944d3bd8e84294a1429567c899ab
SHA256f53be85c5174e513767ed3eebfbe23ac13cf1d1a7b2ef5cbf980db8e1fb85a92
SHA51220fd1a1d5531a96dac6a4d498c5dd2f9421fe05f7f89b31aab2729f301507eff75a666f5492abae00b3e038bef78d9ddfd6534f17c93b2d26bf3f149d2b5400e