Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
240s -
max time network
242s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
202407名单.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
202407名单.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
202407名单.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
GBgvQcZI.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
GBgvQcZI.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
GBgvQcZI.exe
Resource
win10v2004-20240802-en
General
-
Target
GBgvQcZI.exe
-
Size
5.4MB
-
MD5
44a4d63d84c1994a941860fdf0a10aae
-
SHA1
0150f8f5bda824262045c0527fde43a7907769a9
-
SHA256
ef4b5c68a718ac34a957ada64a366868b7a609887208634d46e5ad75a8c70bdc
-
SHA512
91c7a98e242791fab3d387d7df2a41e9880ef5a4038324222e095f894b68530cad1cba17a195f7a4c5aff32162368c54c60a11afa567699807df630a35d92276
-
SSDEEP
98304:CuWti1XTyinOyRivbmBoPhvTdhnstbgjO2rXftnFO8KDTkecARNFh/B:C9gTyZyRcbsoPZm8fO8skec2h5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2452 bhUYOqb.exe -
Loads dropped DLL 4 IoCs
pid Process 1712 GBgvQcZI.exe 1712 GBgvQcZI.exe 1712 GBgvQcZI.exe 1712 GBgvQcZI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GBgvQcZI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2452 1712 GBgvQcZI.exe 29 PID 1712 wrote to memory of 2452 1712 GBgvQcZI.exe 29 PID 1712 wrote to memory of 2452 1712 GBgvQcZI.exe 29 PID 1712 wrote to memory of 2452 1712 GBgvQcZI.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\GBgvQcZI.exe"C:\Users\Admin\AppData\Local\Temp\GBgvQcZI.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\bhUYOqb.exe"C:\Users\Admin\AppData\Local\Temp\bhUYOqb.exe"2⤵
- Executes dropped EXE
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD54672adb9826ab075ef62f2739cfd64dd
SHA1501581229a209a6b44c999a56916d5bf182ed29a
SHA2562b9901eb640caec6a590be613800396ec132689c66de2be128915ee86c4c9367
SHA512f165dd7c13af6adc195bbff34b2daa5c7f156eac04672d583161c31d6191bd07f762a612adc08cf44a8f8284133505de207d79a083163421a1b26717225aa207