Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    46s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 13:00

General

  • Target

    PI24000032.exe

  • Size

    1.2MB

  • MD5

    4ea21bce2e927e066bd726b8d38a2adc

  • SHA1

    a4d7a0820e72d4cdd3e0d882593c69983ad6e043

  • SHA256

    9c2a88e6231afc32955d617333a563b8961175a3ea9f01a97140aa6707ef7272

  • SHA512

    4c3016090b9f917c929b4c08f62cbb923eec32ae06f6ba42a4323f98c8dfedbf38e675c1787d752ad0f03cde72e01c47d15000200a08dc34d7729403bac5b1ac

  • SSDEEP

    24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8av0NzEdqf3LyFPQ7leIJ:5TvC/MTQYxsWR7av0NwQf3L6Y7le

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI24000032.exe
    "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\emboweling

    Filesize

    280KB

    MD5

    3e87a8823c6f4231f6cfc1fdc08dae11

    SHA1

    9773a563be5d99db6d9ebee374b70aaea13691b8

    SHA256

    44096e8052b7c31a31f65ef79bcdcdc4a446f969b38e56f2cc2505993ab133cf

    SHA512

    bf5a4d88a5dfffb6f5c4bca70c6b01133281824edf745f9d4ceedf7cdba7e8a0387ff852a2e03e4bda35f8164d0be789b7a47734932e3e03d9251239d8ea07c6

  • memory/1720-12-0x0000000000160000-0x0000000000164000-memory.dmp

    Filesize

    16KB

  • memory/2756-13-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

  • memory/2756-14-0x0000000000940000-0x0000000000C43000-memory.dmp

    Filesize

    3.0MB

  • memory/2756-15-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

  • memory/2756-16-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB