Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
721839f3b46046e609e0460fc7d66280N.exe
Resource
win7-20240705-en
General
-
Target
721839f3b46046e609e0460fc7d66280N.exe
-
Size
506KB
-
MD5
721839f3b46046e609e0460fc7d66280
-
SHA1
be5fd324888881f66a8c22dc91192d2b78f06a16
-
SHA256
a7ff068df4e5cb90cfef8c4b5f6d512ca021ae9b71b111e701cfef53e953a960
-
SHA512
5ddf274d2761c7184229a11ffeb4279bef19149a4ae0b9badfd43f87d4947aa730ec83bf72f5feef0e415f28dcac3177a77ec80776c43e3d7e9dfc6785523d9b
-
SSDEEP
12288:DyQRUAXZNHvLiW4NJz5cY2vklltT1AV0MjoB5W+u:Dy5AXDHvLijd2cllpGV0MC59u
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 721839f3b46046e609e0460fc7d66280N.exe -
Executes dropped EXE 1 IoCs
pid Process 2700 s5935.exe -
Loads dropped DLL 4 IoCs
pid Process 2348 721839f3b46046e609e0460fc7d66280N.exe 2348 721839f3b46046e609e0460fc7d66280N.exe 2348 721839f3b46046e609e0460fc7d66280N.exe 2348 721839f3b46046e609e0460fc7d66280N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 721839f3b46046e609e0460fc7d66280N.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 721839f3b46046e609e0460fc7d66280N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 721839f3b46046e609e0460fc7d66280N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 721839f3b46046e609e0460fc7d66280N.exe 2700 s5935.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2700 s5935.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2700 s5935.exe 2700 s5935.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2700 2348 721839f3b46046e609e0460fc7d66280N.exe 30 PID 2348 wrote to memory of 2700 2348 721839f3b46046e609e0460fc7d66280N.exe 30 PID 2348 wrote to memory of 2700 2348 721839f3b46046e609e0460fc7d66280N.exe 30 PID 2348 wrote to memory of 2700 2348 721839f3b46046e609e0460fc7d66280N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe"C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\n5935\s5935.exe"C:\Users\Admin\AppData\Local\Temp\n5935\s5935.exe" ins.exe /e6126600 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f /v"C:\Users\Admin\AppData\Local\Temp\721839f3b46046e609e0460fc7d66280N.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD5316287c0010874356127dd8b7bc17896
SHA10939ad854954393f052f5ba64b6c4b8e03a8866b
SHA25669d0557e8d695a1d44ed91b643b93a01a2fd74056dc21bf334965f5045e8f4c9
SHA5121d995b5e18bdf387a42d0029d20c1f2889fa70c5bc8895df674fc83e3b49bb2acd8031966b593cff2b72438bde929a50a7558adc1df5d8cae7097b8fedb39c1c