Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 09:04
Static task
static1
Behavioral task
behavioral1
Sample
769696b4d235e0184c2c8099e39b2394.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
769696b4d235e0184c2c8099e39b2394.exe
Resource
win10v2004-20240802-en
General
-
Target
769696b4d235e0184c2c8099e39b2394.exe
-
Size
207KB
-
MD5
769696b4d235e0184c2c8099e39b2394
-
SHA1
c3ecf1b75dfa411d4f2cf65998f52b69de09737d
-
SHA256
e15d6cb16c10e5b195706f648749001c448ddb7d585576023c66e0aa5be319c0
-
SHA512
99258efcd7353a8c62d197aefc027a800c61061ff9a580356679d813a6f9fcc05a9f31087e95af90eebc8728a96c6c77f13225cf1a004a1bd9fee4538fb72325
-
SSDEEP
3072:khF/AxZMqR1akvFDXDKAxqrAwFLImCMgVdJiQE1zAUGSPfl5LH0oIWgp:oI461asjeSHwrsdJi1MQtmJWg
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2520 set thread context of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 2836 3052 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 769696b4d235e0184c2c8099e39b2394.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 2520 wrote to memory of 3052 2520 769696b4d235e0184c2c8099e39b2394.exe 30 PID 3052 wrote to memory of 2836 3052 RegAsm.exe 31 PID 3052 wrote to memory of 2836 3052 RegAsm.exe 31 PID 3052 wrote to memory of 2836 3052 RegAsm.exe 31 PID 3052 wrote to memory of 2836 3052 RegAsm.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\769696b4d235e0184c2c8099e39b2394.exe"C:\Users\Admin\AppData\Local\Temp\769696b4d235e0184c2c8099e39b2394.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 2523⤵
- Program crash
PID:2836
-
-