Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 06:36
Behavioral task
behavioral1
Sample
7cf6112e482c5f3df51ce751160353d0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7cf6112e482c5f3df51ce751160353d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
7cf6112e482c5f3df51ce751160353d0N.exe
-
Size
134KB
-
MD5
7cf6112e482c5f3df51ce751160353d0
-
SHA1
13952b0a85856fbe0d8ba49887a9125569a54490
-
SHA256
3e70f4bcda45dd4fd17d29afb9dfe32043e2621ac0efb017bf111f0dcc3373d4
-
SHA512
522802d4d04448d2c8ad5e0d718edbb72f54db10e927b4df76db40f1b66b877e5ac19923778a37802b23fcd7965625f14bf84d5053bf3d6225d8fafc2f5e55e7
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QE:riAyLN9aa+9U2rW1ip6pr2At7NZuQE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2308 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 2520 7cf6112e482c5f3df51ce751160353d0N.exe -
resource yara_rule behavioral1/memory/2520-0-0x0000000000D10000-0x0000000000D38000-memory.dmp upx behavioral1/memory/2520-4-0x0000000000410000-0x0000000000438000-memory.dmp upx behavioral1/files/0x00080000000173de-6.dat upx behavioral1/memory/2520-7-0x0000000000D10000-0x0000000000D38000-memory.dmp upx behavioral1/memory/2308-8-0x0000000000EF0000-0x0000000000F18000-memory.dmp upx behavioral1/memory/2520-9-0x0000000000D10000-0x0000000000D38000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 7cf6112e482c5f3df51ce751160353d0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cf6112e482c5f3df51ce751160353d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WwanSvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2308 2520 7cf6112e482c5f3df51ce751160353d0N.exe 30 PID 2520 wrote to memory of 2308 2520 7cf6112e482c5f3df51ce751160353d0N.exe 30 PID 2520 wrote to memory of 2308 2520 7cf6112e482c5f3df51ce751160353d0N.exe 30 PID 2520 wrote to memory of 2308 2520 7cf6112e482c5f3df51ce751160353d0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cf6112e482c5f3df51ce751160353d0N.exe"C:\Users\Admin\AppData\Local\Temp\7cf6112e482c5f3df51ce751160353d0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD576a7c0d21d3cfe553873cf11f1cf40a8
SHA1871db0d95840cbdd982a61bca9e2100f853fb017
SHA25658fb65387ca8dacc705fca7e2885b2d75f9873fef428066e65939c8b70159e3f
SHA512345fdedc863b5d9cc1343050d5d6394eadf4f578a70e76fc8c139e2f9cb2a3bc614f31a5b567327ebf3c43b322a35d8f1702cb67e29c420134fa17537711b907