Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe
Resource
win10v2004-20240802-en
General
-
Target
2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe
-
Size
129KB
-
MD5
5dd9ea96f4ab29e0d58198c0a1bc8e8d
-
SHA1
277722ea31bbe28abce19e76bf4c2efaddb29b2b
-
SHA256
2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc
-
SHA512
42dfa498213f53ceae0745ee423be0383b0338ea49b7c05e72313fffca1a9902657a17421bd90b9ddebe74aacb76c7ec100a11eb76668c0d79f06a5a0de51ffc
-
SSDEEP
3072:knZjfso0f5z9f57fgDWChiOzl0LEnFvUf4FnWRYCd+:kndp0f5z77fgDNlzl0L0dUf2WRNd+
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2856 emlssch.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\emlssch.exe 2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe File created C:\PROGRA~3\Mozilla\hsimtwa.dll emlssch.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language emlssch.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2856 2180 taskeng.exe 31 PID 2180 wrote to memory of 2856 2180 taskeng.exe 31 PID 2180 wrote to memory of 2856 2180 taskeng.exe 31 PID 2180 wrote to memory of 2856 2180 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe"C:\Users\Admin\AppData\Local\Temp\2fbe6c8945f760922645fe7751598b622b82322cf53b0c33d91c0e4c0a1ffcdc.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1464
-
C:\Windows\system32\taskeng.exetaskeng.exe {817E1AA3-0A3D-4CE3-86F2-F4880FF345D3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\PROGRA~3\Mozilla\emlssch.exeC:\PROGRA~3\Mozilla\emlssch.exe -jioalan2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD51f588dec4a385fcea9b48c9fac69b7a8
SHA1b068bb9a2f58ff521c357203356f234a73f187d2
SHA256630aa02b6eedc5792fcf2460d6b31a3460ee34eb7a2167c9f85cab54aa6d7865
SHA5128db15f3dd720eefb903126d6d444e1271fa03cd5ee7a598aa364ff49a0c13c3b733013695515be0be38f183033a6aafb102db615db8d6a256535cf939abdc72e