Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 09:55

General

  • Target

    4188e6b9061061d946909946d81d0c10N.exe

  • Size

    135KB

  • MD5

    4188e6b9061061d946909946d81d0c10

  • SHA1

    05c8bee2af630442b51aa2d1938ffa464ca234b2

  • SHA256

    3d79d0b0fcaa165200205faf9a9fc8858e51072f8c9c7f4ac3aecc74c1c48167

  • SHA512

    3b31a54e22540ef841e35c8ac5d74b8f564fe0fddfae5413989df260ee443c45ad9598c4f5c6cb6f27740bddb1ff4573f10b535015eb121bbb274dbdb9b87aca

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOv:YfU/WF6QMauSuiWNi9eNOl0007NZIOv

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4188e6b9061061d946909946d81d0c10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4188e6b9061061d946909946d81d0c10N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2132
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\4188e6b9061061d946909946d81d0c10N.exe" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\Update\wuauclt.exe

    Filesize

    135KB

    MD5

    924160b516b900b0c7225080ef3e6ce1

    SHA1

    a17baa8c1df36388afec3f68478391f02ec585c4

    SHA256

    4d2a04752e18f72916da5f45fa28a374879d8fed89cf48617ffb6db3f3c3083d

    SHA512

    61fc641d35454cf752865c185806fc8bd2504ecb7bc1d0b95a885420a5f218934fc0924d6655ac575b006bc25b6a7fee52132393a51f341c99960c13338a0d28

  • memory/2132-7-0x0000000001110000-0x0000000001138000-memory.dmp

    Filesize

    160KB

  • memory/2344-0-0x0000000001110000-0x0000000001138000-memory.dmp

    Filesize

    160KB

  • memory/2344-6-0x0000000000260000-0x0000000000288000-memory.dmp

    Filesize

    160KB

  • memory/2344-8-0x0000000001110000-0x0000000001138000-memory.dmp

    Filesize

    160KB

  • memory/2344-9-0x0000000000260000-0x0000000000288000-memory.dmp

    Filesize

    160KB

  • memory/2344-10-0x0000000001110000-0x0000000001138000-memory.dmp

    Filesize

    160KB