Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9b77d487c1...ae.exe

windows7-x64

8

9b77d487c1...ae.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b77d487c126fd7efd4adf0c880adb105136702d2ed9014757d70571e56f4fae.exe

  • Size

    2.2MB

  • MD5

    4b031af66c2b1818d6753aa25ecc1d9e

  • SHA1

    9594c741a3642229b610db1ed11d9e48f230d125

  • SHA256

    9b77d487c126fd7efd4adf0c880adb105136702d2ed9014757d70571e56f4fae

  • SHA512

    4fb72f8ce8f3e32a6d6f15f337608b30dac4be68c0c963060c176980dd331f9132394527399efb2c679a39dea84869c06c2058216e9551ff81138f48cd224b8e

  • SSDEEP

    24576:qqBQYkYZuw2RIMzoNPyWKCfo6iZbQQ8HtL6nLimbDVs5l3RuQ55313p:qqFqZbQQ8Ht8LimbQl3z

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b77d487c126fd7efd4adf0c880adb105136702d2ed9014757d70571e56f4fae.exe
    "C:\Users\Admin\AppData\Local\Temp\9b77d487c126fd7efd4adf0c880adb105136702d2ed9014757d70571e56f4fae.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Safety22w.exe
    Filesize

    33.7MB

    MD5

    8511bf6b379da283404154d306563367

    SHA1

    3519032c8ba1c636a5787dd96a1af8ae4af7fc32

    SHA256

    65f6bc962ca0e6180d0a993449b25c056c087fee507f63f1cae64439a6a33a12

    SHA512

    6c2bf44354fed609c1a3c817d930fcc948e5198a83a622a3037fd26f4f5486b4a962c170e62e28fb5d82400e7b335e66df5f354d87dbde24bceddf103bed2ee7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_Thread_Check.exe
    Filesize

    2.2MB

    MD5

    a4f7e5aeeee620cdbc2965b402050824

    SHA1

    d2022b13484c2df979970aba19993d730bb7f1b8

    SHA256

    305ee3137ca2c3d82d62d4152afce966e6056d5f68e37e21ad976cf4cbc207cf

    SHA512

    1a598203212706a1bf6037d4b2879b5abe67b300e3733d387b261dc659f60a6923b6a90db43cdc3715ec86fd98228b3a64d4154a4c9e40bfb28239b2d86ae165

    Download Submit

  • memory/2192-33-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download