Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
fb0014ea34f774208605e28bee4023b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fb0014ea34f774208605e28bee4023b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
fb0014ea34f774208605e28bee4023b0N.exe
-
Size
1004KB
-
MD5
fb0014ea34f774208605e28bee4023b0
-
SHA1
40981c0ea15f9e2f7a07cbd8bdefca89947c44eb
-
SHA256
99fbf5280aa301ee6a41acb4f88a14266186cc7deeb8806e1a44c756da197dd1
-
SHA512
63e9cc441acf7895e5a3f7d3ee1ccc53892bebb085b27262770c75c5a436b41bd92a57069c3fbee00761048b032ab3b5317ce90f4a5af85062c84fd3af59e11e
-
SSDEEP
24576:34OLYmyM7cb5kWyMJ9C1Xda/ZSCBHn677:fLYmy2cb5k5MJ8XdgVBHn6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2068 fb0014ea34f774208605e28bee4023b0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2068 fb0014ea34f774208605e28bee4023b0N.exe -
Loads dropped DLL 1 IoCs
pid Process 2356 fb0014ea34f774208605e28bee4023b0N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb0014ea34f774208605e28bee4023b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2068 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2356 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2068 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2068 2356 fb0014ea34f774208605e28bee4023b0N.exe 31 PID 2356 wrote to memory of 2068 2356 fb0014ea34f774208605e28bee4023b0N.exe 31 PID 2356 wrote to memory of 2068 2356 fb0014ea34f774208605e28bee4023b0N.exe 31 PID 2356 wrote to memory of 2068 2356 fb0014ea34f774208605e28bee4023b0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe"C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exeC:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1004KB
MD5cebfb7ae47abeedf9fd6a6c653e0df3d
SHA1f2817b796f12d2dd6f4d4cb5ef711c568f6e0245
SHA2562306b1e480139a964c2b8ce0d152baf3726714b5c94b6aba1317627ea3c4dd05
SHA51218fbf49137433554d80c8bb0a812a6cd8e9a3e259f1a622f901f4e269472ddd6398085fc95bd294629ebcd5b16b1872ede26c5659e59f3b77dfdeff45da294c4