Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 10:26
Behavioral task
behavioral1
Sample
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Resource
win10v2004-20240802-en
General
-
Target
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
-
Size
1.9MB
-
MD5
863d307dd132c2a7502946280257e058
-
SHA1
f7ec3a87c5e4cb87ec39e1b62b741b8e45eab1ba
-
SHA256
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8
-
SHA512
1575d8c638038a4ae3b46913e874f3c4a50a45f1de1cc4527afb7853b0e683d336ecf879198c41add1f7c59056c59892754603317bc1dcd2e6d3287105d5f862
-
SSDEEP
49152:E6tTHSd+IGgCNiJrAVja0W0iVwZJOorqGW:E8q+I6NQrS80iVwTjr7W
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1100 Bugreport-524574.dll -
Loads dropped DLL 3 IoCs
pid Process 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
resource yara_rule behavioral1/memory/2624-0-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-8-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-7-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-5-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-6-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-10-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-50-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-49-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-48-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-46-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-44-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-42-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-40-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-38-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-36-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-34-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-32-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-30-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-28-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-26-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-24-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-22-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-20-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-18-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-16-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-14-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-12-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-52-0x00000000024D0000-0x0000000002542000-memory.dmp upx behavioral1/memory/2624-51-0x00000000024D0000-0x0000000002542000-memory.dmp upx behavioral1/memory/2624-55-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-56-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-57-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2624-59-0x00000000024D0000-0x0000000002542000-memory.dmp upx behavioral1/files/0x0007000000019803-65.dat upx behavioral1/memory/1100-74-0x0000000000400000-0x0000000000442200-memory.dmp upx behavioral1/memory/1100-92-0x0000000000400000-0x0000000000442200-memory.dmp upx behavioral1/memory/2624-133-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-219-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-359-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-438-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-522-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-7303-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral1/memory/2624-7304-0x00000000024D0000-0x0000000002542000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bugreport-524574.dll -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1100 Bugreport-524574.dll -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2624 wrote to memory of 1100 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 32 PID 2624 wrote to memory of 1100 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 32 PID 2624 wrote to memory of 1100 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 32 PID 2624 wrote to memory of 1100 2624 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524574.dllC:\Users\Admin\AppData\Local\Temp\data\Bugreport-524574.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%202⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113B
MD5d4ff7a9a4d86d38bb9cf53e48f5a5a6d
SHA1374447887401c5bae63352926a70201a9b1e72e7
SHA2568b785273b451511c9a220f3b19a149b5650fdee01fc4ef3ee06f18a37e321b21
SHA512ec97f271acde264434910ea3166f0d802ee84889daf466261f58a18ae1f68032edaadc3bc6d7a59d3564b5df9c586ef01a083ea0d957e8eb7cfc2f97d877aced
-
Filesize
133B
MD589058a7e470a0f43b03cf6c27d214354
SHA14900de8849a32baff7ff1fd7fcc38383e232004d
SHA2561427778f8eb2161da2475cdde27bca41ed55d4f420c8f91cddd2c21d1c455a29
SHA512810369cc87d184d2bc55f51879c6f1f8d590ea5030949ea916191db064c18f1d61f26ebd509aa1ef9e023dfe0c2372d4e7466ca9aa5646e32457d98c9fd22f9e
-
Filesize
548B
MD5529a2fe4ee9ee5472fbd979a5194ab49
SHA1ef6ae909ba52d296ad928fa93ac1249b2e6c337e
SHA2563ab2cd378825f3c7a672d76ca700fa42b17f520b8a6971b61d207307801694fb
SHA51266b32c3bcc5c19a95c40ca7e3fcfade57b39135d853b313408f838a1dcabf5a0142d48d9bad8c037a122adbcb186f382f987c3b610535af308729627f47f67d1
-
Filesize
82KB
MD50aae9f149384ddefaf19a2f292b8c8ad
SHA1ef8c93f96f2b54066875ba2a23eb5515891b38a6
SHA256c11ca4f594735ef256ac0bc17e03e96d3668687e36d72a007721845cc3ebad61
SHA512ae67b1a87ca56c68e26a942a7563338f51c124e99422c5c258b89184b9404f0825b90679398afe5f5d96680c941bdfd1aec3672fb85a3f08575e9f17cdb71457
-
Filesize
724KB
MD5a96fbd5e66b31f3d816ad80f623e9bd9
SHA14eda42260bd3eb930cd4eafd7d15c6af367bcf18
SHA2562e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3
SHA51243921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e