Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240802-en
General
-
Target
MalwareBazaar.exe
-
Size
1.2MB
-
MD5
5f9a0cb83894c70bc24e0f9254fb8c47
-
SHA1
4a72402a2de6f13d3bc7aea07efe0fb0942ed740
-
SHA256
b79a12b0fc47bdaa7e1da3863e004d5e4a9acfcbb251ee60248564ceeb451b8d
-
SHA512
8f9e3557d4fcc2471d234fc7b1495993706edb24a38f9067239afe05371d170754e121e2ce8eadd1a949ad0d86f639a2f3bf7b386e3633d2e5bf4a6d1e466c03
-
SSDEEP
24576:hqDEvCTbMWu7rQYlBQcBiT6rprG8aNiSSHyA1jXh:hTvC/MTQYxsWR7aNiSSFpX
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3044 set thread context of 2832 3044 MalwareBazaar.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3044 MalwareBazaar.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3044 MalwareBazaar.exe 3044 MalwareBazaar.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3044 MalwareBazaar.exe 3044 MalwareBazaar.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2832 3044 MalwareBazaar.exe 30 PID 3044 wrote to memory of 2832 3044 MalwareBazaar.exe 30 PID 3044 wrote to memory of 2832 3044 MalwareBazaar.exe 30 PID 3044 wrote to memory of 2832 3044 MalwareBazaar.exe 30 PID 3044 wrote to memory of 2832 3044 MalwareBazaar.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD569d66bc768f1c50e4ea1cf68a0d92602
SHA1b2a549ef3d452d85af705764760903224a5d5522
SHA256539bf6030060fb375c51f71c206921d1511d6c138b7286ce84abfa63aca9c2a4
SHA512ab1df0052568119868b60407d8a5741008c26309871911d06f58d50959d7ac44c7c8064b94c7952807b7b9cf15051840a6898cdcd0bdef628bbc97c38df49373