Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 08:40
Behavioral task
behavioral1
Sample
8465bd48729dd7390abc0c3f95e172a0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8465bd48729dd7390abc0c3f95e172a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8465bd48729dd7390abc0c3f95e172a0N.exe
-
Size
29KB
-
MD5
8465bd48729dd7390abc0c3f95e172a0
-
SHA1
a9a3f09d5c89046ccb8aa87e4d431dca6ac0477f
-
SHA256
a42c3112c56e30bf848c16b7b134f4cff456e4106058f33e607f70f80f781593
-
SHA512
b819b0e388378bb28b993ca97a43112c4c594662b5ab1ae8719d2d2ae2ee36b10a76c160c7ba9f7206258d1135046e9e1d091ed34f7925b5ee8a290edf1a2c30
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/M:AEwVs+0jNDY1qi/qU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2812 services.exe -
resource yara_rule behavioral1/memory/2184-2-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x000800000001870f-6.dat upx behavioral1/memory/2812-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2812-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2812-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-31-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-36-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x002e000000018681-50.dat upx behavioral1/memory/2184-60-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-61-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2812-63-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-67-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-68-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-72-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-73-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2184-74-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2812-75-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2812-80-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 8465bd48729dd7390abc0c3f95e172a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 8465bd48729dd7390abc0c3f95e172a0N.exe File opened for modification C:\Windows\java.exe 8465bd48729dd7390abc0c3f95e172a0N.exe File created C:\Windows\java.exe 8465bd48729dd7390abc0c3f95e172a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8465bd48729dd7390abc0c3f95e172a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 8465bd48729dd7390abc0c3f95e172a0N.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 8465bd48729dd7390abc0c3f95e172a0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2812 2184 8465bd48729dd7390abc0c3f95e172a0N.exe 30 PID 2184 wrote to memory of 2812 2184 8465bd48729dd7390abc0c3f95e172a0N.exe 30 PID 2184 wrote to memory of 2812 2184 8465bd48729dd7390abc0c3f95e172a0N.exe 30 PID 2184 wrote to memory of 2812 2184 8465bd48729dd7390abc0c3f95e172a0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe"C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
29KB
MD5ab0e4d376a6a84c3921607666a512caa
SHA149bee3f3bea3cf39a0b8d817564b1c271727b5d0
SHA2565bb0cfb9711dfd1c24d128339525cd313f81d1683aa6d7d52eb6dbd72381e9cf
SHA5120b2296888360d9b0b42c49e955b85dd8f3f66cb984f637e365817cd6608414d74cdb605ff87278720d4aa3accfb49898396dfac2c4a4156241a53463ad1e5126
-
Filesize
352B
MD5358d17c41efeea77456fc4e7d128bc14
SHA14836fd4480228894857e98824455d3bba3708e72
SHA25620f5686d9062c7b11f8ff77ef775b2fc913c26fc434ebaefc9b105b0058875af
SHA512718b5dfd2eae2103befaaf1c9db5689862ce65e310700f258bc6b9657acd18b0bce286f08ae7dc78e69a46fa34c0e2ff60c8af83ba6769754ca58e8ed118786d
-
Filesize
352B
MD585408ccac4b9b68e743be6eef7ec9354
SHA1d88f79627b64e9a1775fb21c6256729e107256df
SHA256ed7c36d1fc14917657e947edc0d0d7ab37005e41f09780d44ed6ae14ee925a4c
SHA5120d77405572093957cd7ff56f9834ae3ceb2a82cf649b501fabbf9afa6607ec4d8edd8a94b9850a37dc4dce59e9a23eb9b879cd4790d8b5fd2ca5cac2be1132d9
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2