Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
06/08/2024, 00:52 UTC
General
-
Target
3319c07a67f330acac1d221408fec4d0N.exe
-
Size
268KB
-
MD5
3319c07a67f330acac1d221408fec4d0
-
SHA1
f262046dea8d1a2da68acafa7a73f3ec4a322cd5
-
SHA256
dbf0df58ddd70dc4b8ac732dfb88928bc5fb5b881271af703960de4b179c3246
-
SHA512
069304aa67a2f27a18bfae25370e82224e1b63e6c9d0a719b327f9a7fccbd7973e688fcafa1d47c3ea2f5b502ad34bed3b43eaf12c02e3df995deb38910b1fa8
-
SSDEEP
3072:9sSQrIhmyNDY1zuBvLen8DlZniqBXv7yOsWvgbsmIHX0WRIh:9CMsyy1qFy8xZnisyOs2tHEWRe
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3319c07a67f330acac1d221408fec4d0N.exe"C:\Users\Admin\AppData\Local\Temp\3319c07a67f330acac1d221408fec4d0N.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\leocam.exe"C:\Users\Admin\leocam.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
-
DNSns1.chopsuwey.comRemote address:8.8.8.8:53Requestns1.chopsuwey.comIN AResponse -
DNSns1.chopsuwey.netRemote address:8.8.8.8:53Requestns1.chopsuwey.netIN AResponse
-
DNSns1.chopsuwey.orgRemote address:8.8.8.8:53Requestns1.chopsuwey.orgIN AResponse
-
DNSns1.chopsuwey.bizRemote address:8.8.8.8:53Requestns1.chopsuwey.bizIN AResponse
-
DNSns1.chopsuwey.infoRemote address:8.8.8.8:53Requestns1.chopsuwey.infoIN AResponse
-
8.8.8.8:53ns1.chopsuwey.comdns
DNS Request
ns1.chopsuwey.com
-
8.8.8.8:53ns1.chopsuwey.netdns
DNS Request
ns1.chopsuwey.net
-
8.8.8.8:53ns1.chopsuwey.orgdns
DNS Request
ns1.chopsuwey.org
-
8.8.8.8:53ns1.chopsuwey.bizdns
DNS Request
ns1.chopsuwey.biz
-
8.8.8.8:53ns1.chopsuwey.infodns
DNS Request
ns1.chopsuwey.info
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5ab42e058f30993aa8b966e1a55560268
SHA1038c6908c1808e1367a43189937fd37c1d8feb9c
SHA2566386b5fa6df5cd359a23fad302312771b0f71d9e01acbaaed1e9465ea9c0fe3a
SHA5129030392b92bbe046d174abadd3e8346fd95f0f800b9e5c4125865b9d92f70cbae1c83495abc84879c246966e8731a3ffcc54f06a3daf2c75b12f504a95d7becf