Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
9d246707c1ec940a2a17803542a9e3e0N.exe
Resource
win7-20240705-en
General
-
Target
9d246707c1ec940a2a17803542a9e3e0N.exe
-
Size
496KB
-
MD5
9d246707c1ec940a2a17803542a9e3e0
-
SHA1
08e896d707041260027ddf1e7f428de8401627c5
-
SHA256
420789ab30b823411f53477fd9fc568392b0b1b96962bbe429e40f93dd4bbcff
-
SHA512
c923c0efff80002e0447e0c7422dff65e399d6f24848f4b687a23fdc37770136571ee264ee8b5b390e719378783d1fca8dce0fdbe1332a38ee0b15abd200aa5b
-
SSDEEP
6144:42xvIowx9CSZi+vdXhcVhkdtW0zmIMf5h2gPoFjdz52Wb3/mh7Q/u1PE0e/qHPB+:42hHYEqrvdKX+q5IVL0G2uJCtJw
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d246707c1ec940a2a17803542a9e3e0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2660 s9078.exe -
Loads dropped DLL 4 IoCs
pid Process 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 3040 9d246707c1ec940a2a17803542a9e3e0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d246707c1ec940a2a17803542a9e3e0N.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 9d246707c1ec940a2a17803542a9e3e0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 9d246707c1ec940a2a17803542a9e3e0N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 2660 s9078.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 s9078.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2660 s9078.exe 2660 s9078.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2660 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 30 PID 3040 wrote to memory of 2660 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 30 PID 3040 wrote to memory of 2660 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 30 PID 3040 wrote to memory of 2660 3040 9d246707c1ec940a2a17803542a9e3e0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d246707c1ec940a2a17803542a9e3e0N.exe"C:\Users\Admin\AppData\Local\Temp\9d246707c1ec940a2a17803542a9e3e0N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\n9078\s9078.exe"C:\Users\Admin\AppData\Local\Temp\n9078\s9078.exe" ins.exe /e 10656963 /u 4d48823a-b8b4-4f4d-b72e-794a5bc06ebe /v "C:\Users\Admin\AppData\Local\Temp\9d246707c1ec940a2a17803542a9e3e0N.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD556c3c0bea17637a46ab6d82507923e75
SHA1de31ef91d7568429b34a00b23c3b2be815417e2a
SHA256b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a
SHA512fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c