Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
1d7a6a0ec43351d6afb4117eda56ad40N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1d7a6a0ec43351d6afb4117eda56ad40N.exe
Resource
win10v2004-20240802-en
General
-
Target
1d7a6a0ec43351d6afb4117eda56ad40N.exe
-
Size
43KB
-
MD5
1d7a6a0ec43351d6afb4117eda56ad40
-
SHA1
1034041906406eb24ec6e92c7223d4a679a0e114
-
SHA256
e755da1c18d880ec127b8ce356176d1d977662728bfd7f2234b527397eff236a
-
SHA512
845d166288aaae0afc57ddc6ca154c8912544b3f7d302056ecc5b5ca4ba992dcf3a69ab578bd1a67ad00cdcc0e59a9ab7cbe014c0ecdb0b6270e45fd6d502cec
-
SSDEEP
768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNh4:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1772 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 1772 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 1d7a6a0ec43351d6afb4117eda56ad40N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 1d7a6a0ec43351d6afb4117eda56ad40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d7a6a0ec43351d6afb4117eda56ad40N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1772 2416 1d7a6a0ec43351d6afb4117eda56ad40N.exe 30 PID 2416 wrote to memory of 1772 2416 1d7a6a0ec43351d6afb4117eda56ad40N.exe 30 PID 2416 wrote to memory of 1772 2416 1d7a6a0ec43351d6afb4117eda56ad40N.exe 30 PID 2416 wrote to memory of 1772 2416 1d7a6a0ec43351d6afb4117eda56ad40N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7a6a0ec43351d6afb4117eda56ad40N.exe"C:\Users\Admin\AppData\Local\Temp\1d7a6a0ec43351d6afb4117eda56ad40N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5e158a92827ccbec502bb6686f1549b8c
SHA12c98ac37523c6d5e2f60136ad1df7dd71ce96b2d
SHA2562895280d9e1871150e6b8824e9780a7be11491ea5f71389726af933c56a1fb14
SHA5123c24e913fd393c45be9ae92857e6b6ed26c63b3bb704e35f6420ab9b45271885fc70d455572f7767ba4a1a731074a441646efb0afc5f08c8fe0eb46cf07654dd