Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
e9789a530b222f95edf1e5b7602ad460N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
e9789a530b222f95edf1e5b7602ad460N.exe
Resource
win10v2004-20240802-en
General
-
Target
e9789a530b222f95edf1e5b7602ad460N.exe
-
Size
53KB
-
MD5
e9789a530b222f95edf1e5b7602ad460
-
SHA1
4137b53044a13ab97740a7bd10370fb774934583
-
SHA256
c613525f16bc5d1ca5ef4b266ea37ca58688e9aa071302ba8c0d597117725b07
-
SHA512
4ed68392dc95fd88b8e63b33f96fe1b09272dc7fbe4b2f3bc282d18a5d405c84169c9aa4111129bc5292e03803b62300865e63dfe12bcd143df4cf24ff1f3c35
-
SSDEEP
1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIL:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2420 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2420 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" e9789a530b222f95edf1e5b7602ad460N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe e9789a530b222f95edf1e5b7602ad460N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9789a530b222f95edf1e5b7602ad460N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2420 2504 e9789a530b222f95edf1e5b7602ad460N.exe 30 PID 2504 wrote to memory of 2420 2504 e9789a530b222f95edf1e5b7602ad460N.exe 30 PID 2504 wrote to memory of 2420 2504 e9789a530b222f95edf1e5b7602ad460N.exe 30 PID 2504 wrote to memory of 2420 2504 e9789a530b222f95edf1e5b7602ad460N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9789a530b222f95edf1e5b7602ad460N.exe"C:\Users\Admin\AppData\Local\Temp\e9789a530b222f95edf1e5b7602ad460N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD57828f888b483c583f1515f4168f55a30
SHA196e88478fd5096ac4ee084fb2e79adb63a3bbafb
SHA2564e255913ea220ded32e743c5c821ccc5f70d2fb40649a7d13f0bd3e458288f65
SHA5123e100212790587d8c801138426851a5db47be50c50925277085e7ee2c84d591497719692ff0827a485e6386c93f814bf862a7584bb2b9b6baf36f9ce2a9f80af