Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

8d45d4a6c4...0N.exe

windows7-x64

7

8d45d4a6c4...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d45d4a6c47ab63ff6d8406ef3b51f00N.exe

  • Size

    490KB

  • MD5

    8d45d4a6c47ab63ff6d8406ef3b51f00

  • SHA1

    fd3e789930abe7fb3d19555d2fd98be8cf9f39d7

  • SHA256

    a8462d86259376aaff500ac50dfbc31caf8bf10ae0313403425957f6d635f300

  • SHA512

    506ab245b727b07c79238530a2ee31fd88ce35c2b19a6d75cd7f4e216bb3f9f630753cce150850da8268b3d2efa1d247eb1223b65bdf6b4f6db47fd217950eaf

  • SSDEEP

    12288:U+TRL7A0wg5rYzCm4juSIBS2RVFW4P6gr646b19mmVj:U+17A0wRs92V1By6mVj

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d45d4a6c47ab63ff6d8406ef3b51f00N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d45d4a6c47ab63ff6d8406ef3b51f00N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Local\Temp\n6323\s6323.exe
      "C:\Users\Admin\AppData\Local\Temp\n6323\s6323.exe" ins.exe /e12386661 /u52fe2c91-49dc-40b7-b209-1f140a000013
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\n6323\s6323.exe
    Filesize

    269KB

    MD5

    ad76cab590ec4c1d3008589d2d2eb052

    SHA1

    3fd9b837fd4a078411c0958a41b1adb321e1016a

    SHA256

    a2111f7d4b36800e840b63573fcb044ea18fb4bc3fef2b8f2724d0d4b5e6c51a

    SHA512

    b8f6695a4c4c18046fb3da55f5c6d1fd60b4e90d8952bceb27296da1a522a97a829494bab103375595a599c602d337926270f2422401678af8d5393490e53432

    Download Submit

  • memory/1276-14-0x000007FEF604E000-0x000007FEF604F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1276-15-0x00000000004C0000-0x00000000004CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1276-17-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1276-16-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1276-18-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

    Filesize

    9.6MB

    Download