Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
Resource
win10v2004-20240802-en
General
-
Target
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
-
Size
7.0MB
-
MD5
9f45622774c7d19b96b520b37dc56055
-
SHA1
b33b3bf504155b47efa9a9f44dff88c2df03a6d2
-
SHA256
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9
-
SHA512
f60523676f18ee42633fce9e40dd3e4ff8d2b1f855a9016c0c20023491424aa091a538022a938fba43ef7935c24d3384e8b7a713427ba71f0ae3ae206409defc
-
SSDEEP
98304:emhd1Uryey4MhYILo/erQMLeZrDV7wQqZUha5jtSyZIUbn:elfm8V92QbaZtliK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2708 4605.tmp -
Executes dropped EXE 1 IoCs
pid Process 2708 4605.tmp -
Loads dropped DLL 2 IoCs
pid Process 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2708 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 30 PID 1188 wrote to memory of 2708 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 30 PID 1188 wrote to memory of 2708 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 30 PID 1188 wrote to memory of 2708 1188 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe"C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\4605.tmp"C:\Users\Admin\AppData\Local\Temp\4605.tmp" --splashC:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 82653F392A0BF0907BA5AD2C0E0EFE14FAB88555882A6CCF547097527FA75D8DCD7B3A8B078DB616D247D423CFFA95C2712B0C17CE00EB7B56C55A810FD69BD22⤵
- Deletes itself
- Executes dropped EXE
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.0MB
MD58ad3a68c5bc6ab93496f2139d575ff64
SHA18d832b9cb2199dcc8efc11dde9cd7fe284577b56
SHA25605609b427ea777a7b3ed6ede02b937d68ae13dacc434ba0ed046d63c8be448bd
SHA5125b679f1584cd13c5eb0af34a9a06a6f2370daaaf13de526197e516e5596185e35f69aad27c2d6114370e6b864dfc2233401bf175fe17b0fa696bfd4c8612ea0d