Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03/08/2024, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
56fe8f72a0fe6ee444f82b6b7bb11300N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
56fe8f72a0fe6ee444f82b6b7bb11300N.exe
Resource
win10v2004-20240802-en
General
-
Target
56fe8f72a0fe6ee444f82b6b7bb11300N.exe
-
Size
38KB
-
MD5
56fe8f72a0fe6ee444f82b6b7bb11300
-
SHA1
6fd41cd06b1d310e2def1adc727d44a7851753cf
-
SHA256
ef380bbb2df556bdc3bf931f7883e6ef7cc156a97fab1e0e1178449663abcb37
-
SHA512
f4c4d89a43bf6b2526a0cbd3c1275c51a9824352f06ff396ff0094fa0e0b3ab3a82bbb8213e7f8f239fefc224bd8652c7225e7d5517100c306a34c9aaafc38ab
-
SSDEEP
768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhH:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2096 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2096 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 56fe8f72a0fe6ee444f82b6b7bb11300N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 56fe8f72a0fe6ee444f82b6b7bb11300N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56fe8f72a0fe6ee444f82b6b7bb11300N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2096 2400 56fe8f72a0fe6ee444f82b6b7bb11300N.exe 30 PID 2400 wrote to memory of 2096 2400 56fe8f72a0fe6ee444f82b6b7bb11300N.exe 30 PID 2400 wrote to memory of 2096 2400 56fe8f72a0fe6ee444f82b6b7bb11300N.exe 30 PID 2400 wrote to memory of 2096 2400 56fe8f72a0fe6ee444f82b6b7bb11300N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\56fe8f72a0fe6ee444f82b6b7bb11300N.exe"C:\Users\Admin\AppData\Local\Temp\56fe8f72a0fe6ee444f82b6b7bb11300N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD58a8ab1427025ed09c443073be7ab5c9c
SHA1e7952f1dc112e4ad2611c5c6cfa0d3ac7abd7c87
SHA2567e861fb517e11ffdbf51faecbf75a371cc543aad9281267325d8ea9a93e6381d
SHA51280aac0d7da472252e4a545364429f5e8b6ec6a038b52e161b6c722c4f3950d9c16bc939d9e7f1f93c74fb3111ca26947c75e21006c80302b6d9b7e04fa1a72c4