Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
155绿色软件站.url
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
155绿色软件站.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
右键显示隐藏系统文件.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
右键显示隐藏系统文件.exe
Resource
win10v2004-20240802-en
General
-
Target
右键显示隐藏系统文件.exe
-
Size
414KB
-
MD5
6d41ee8c4bd2b574b02a29ce0b023eb9
-
SHA1
6357ac007742c6b8fc6c10eb303bf729af663ce9
-
SHA256
9f6bb66ec52ebb6d52006955dc94399c51d192dbec076df269de0552593b12ce
-
SHA512
e0732b54b4b4edcf35f1d99df9a7dddb9d6d1a91545be6657f55318e98f80ab5dbf7b0701b62c327be14e52bbe5b69b8117946deecbdd204ad3cb0fed5af3525
-
SSDEEP
6144:aTfFDbRnOTrZc1JWGkTfFDbRnOTrZc1JFo7TfFDbRnOTrZc1JlBE:I5OG2GW5OGlo95OGFBE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 296 set.exe -
Loads dropped DLL 2 IoCs
pid Process 1736 右键显示隐藏系统文件.exe 1736 右键显示隐藏系统文件.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 右键显示隐藏系统文件.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language set.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 296 set.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1736 wrote to memory of 296 1736 右键显示隐藏系统文件.exe 31 PID 1736 wrote to memory of 296 1736 右键显示隐藏系统文件.exe 31 PID 1736 wrote to memory of 296 1736 右键显示隐藏系统文件.exe 31 PID 1736 wrote to memory of 296 1736 右键显示隐藏系统文件.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\右键显示隐藏系统文件.exe"C:\Users\Admin\AppData\Local\Temp\右键显示隐藏系统文件.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\set.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\set.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5524a62841d9fab0d9d49f5bcff7bd8b1
SHA12c0243210aaebab392304237d6d651f8d72cb032
SHA256065cdb23f4bf29e57a425f89c92631589a6d93489d2972ea5e13a6390352197a
SHA512eb9aa16b64e8ea806c74acb8ea1bc96ad42124a4d2cb5617daf2f784172200a6ec5ecdb28d886483c7ee8b40407f5dbf443dc063dbdce5f43f842ed5747d4872