Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 21:31
Behavioral task
behavioral1
Sample
fbadca9c175356d00787796bd6de5ea0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fbadca9c175356d00787796bd6de5ea0N.exe
Resource
win10v2004-20240802-en
General
-
Target
fbadca9c175356d00787796bd6de5ea0N.exe
-
Size
41KB
-
MD5
fbadca9c175356d00787796bd6de5ea0
-
SHA1
9189ed873a613ce697b089023ed8b07f1e331698
-
SHA256
f85e605b37031190bae795f979e8a1071b42be190ea9339d03611810b6639e88
-
SHA512
48e9b51b7fd454530d334eb1ecb42cddd93651d3b27f934880c1e7aaef9f1c39adffc13c14028a09e909718f901f4a07a151287205ca1eb28bb23ee769a1ea96
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2784 services.exe -
resource yara_rule behavioral1/memory/2724-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2724-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0008000000016141-7.dat upx behavioral1/memory/2784-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-32-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x000800000001683c-46.dat upx behavioral1/memory/2724-57-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-58-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-61-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-62-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-63-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-64-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-68-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-69-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-73-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-74-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2724-75-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-76-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-81-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" fbadca9c175356d00787796bd6de5ea0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe fbadca9c175356d00787796bd6de5ea0N.exe File opened for modification C:\Windows\java.exe fbadca9c175356d00787796bd6de5ea0N.exe File created C:\Windows\java.exe fbadca9c175356d00787796bd6de5ea0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbadca9c175356d00787796bd6de5ea0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2784 2724 fbadca9c175356d00787796bd6de5ea0N.exe 30 PID 2724 wrote to memory of 2784 2724 fbadca9c175356d00787796bd6de5ea0N.exe 30 PID 2724 wrote to memory of 2784 2724 fbadca9c175356d00787796bd6de5ea0N.exe 30 PID 2724 wrote to memory of 2784 2724 fbadca9c175356d00787796bd6de5ea0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbadca9c175356d00787796bd6de5ea0N.exe"C:\Users\Admin\AppData\Local\Temp\fbadca9c175356d00787796bd6de5ea0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5b307494d6f4e22197c3f272c8ad654fd
SHA1d274e89ead03a83d4194259bfb9936241004fe6b
SHA25658ada8bec06cc1e52000672e7304f16a6bad7f5ac5dcdb8bae3b6d493d647326
SHA5124cc38801321d26534bdf63d27491db1c528c0b380c9681157fc16cc5382f58d8a7c598bd01b117b5f8d96bd05219313476ea85a2a4281c92369ff793dac6ea1d
-
Filesize
41KB
MD550c65686de2cd34960b6046b900816ad
SHA1d624f1646b12694a1e9a88b06616ba3d45e6f8a9
SHA256ea1eecea21ed4b50eb1edd4305f64b57e057c669d7419989664c91092d2a7966
SHA5122db8f253fb3e41cc9116fd89192e6930cb655a8c7aca6ea2dc31200ebb9ef61b45396297f8ef2752bf53fa3eba90fbf728f09ec11ea80b331aeb8816ee6130b8
-
Filesize
160B
MD516820ded6a2a0c0bc2297907459802dc
SHA1e95009f63d7cf23d67c1d806754ba8cddf3ea9dd
SHA25630e30255bde5d6aa054e8a8241d4f0ca7511e25a9408ddb4dab9c70d49765add
SHA512edbe872a4cfffe7a897206c14baae8057ec63fa8cfe401e0a2dc0bda9716f4baf42b33d9d36ec8d71af08fb69d140c9890e0ed94a370c352d41a09499b161c8b
-
Filesize
160B
MD589eccfc0dc65d1494a493f191888cd0f
SHA19e9d526a1ad05066b411e2d5e5046c71978f73c4
SHA256e2e126b6035d0aeb63bb899d610b5ecd49b457c35df42c6f49e31d3472cb01a9
SHA512bbcd363f3598ee5bca526e5b8e34dc37c2163b17d1d1dc14096e2a16328403a2b629c8d84b8d755f7a079a8d50878dfa40f7f908859baf6759c7db5bd886f631
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2