Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 21:52
Behavioral task
behavioral1
Sample
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Resource
win7-20240704-en
General
-
Target
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
-
Size
246KB
-
MD5
d7a82d875706d57720b3a35ea797290d
-
SHA1
9dbc048de8ea29ab951b08341fd141dcd317f78f
-
SHA256
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd
-
SHA512
f8ecd8c34a84448291d99f0135811da9dedeb7aea6a25db19aa98ce6b4f9366959a57409f4549bb7d93678d6a4d35657822725227741b9e3d289b4526bfae2d8
-
SSDEEP
6144:FMooVQnnOBccnskYPmTpUxrr1XRA7WHxWoN+J0EafCUSYibN6WG8M:+QnO/s1mTpG5bUo4bafVibv3M
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3012-2-0x0000000000400000-0x0000000001C5B000-memory.dmp upx behavioral1/memory/3012-1-0x0000000000400000-0x0000000001C5B000-memory.dmp upx behavioral1/memory/3012-6-0x0000000000400000-0x0000000001C5B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2776 PING.EXE 652 cmd.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2740 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2776 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3012 wrote to memory of 652 3012 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 29 PID 3012 wrote to memory of 652 3012 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 29 PID 3012 wrote to memory of 652 3012 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 29 PID 3012 wrote to memory of 652 3012 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 29 PID 652 wrote to memory of 2740 652 cmd.exe 31 PID 652 wrote to memory of 2740 652 cmd.exe 31 PID 652 wrote to memory of 2740 652 cmd.exe 31 PID 652 wrote to memory of 2740 652 cmd.exe 31 PID 652 wrote to memory of 2776 652 cmd.exe 34 PID 652 wrote to memory of 2776 652 cmd.exe 34 PID 652 wrote to memory of 2776 652 cmd.exe 34 PID 652 wrote to memory of 2776 652 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2740
-
-
C:\Windows\SysWOW64\PING.EXEping 8.8.8.83⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5346bbdef8e66561ce4c33013160d7c75
SHA1023e40d5eb04b2d7e8346ea0c9a62b05d372abec
SHA256ce357dc9d96cbb6933f7895d5fee9052b72733c2db9fc32b1555761b1bd0c277
SHA512f2fd0412846455ee0f47f9e88192ea4c6ee60c3118be40a44c9b626566652ed46b1c3a0708a7ec6feba7a9cafc61091a2a1c6cb864a99a081bb842625040594f