Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
9e1787fefde22c946238d1e5c4359cd0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9e1787fefde22c946238d1e5c4359cd0N.exe
Resource
win10v2004-20240802-en
General
-
Target
9e1787fefde22c946238d1e5c4359cd0N.exe
-
Size
904KB
-
MD5
9e1787fefde22c946238d1e5c4359cd0
-
SHA1
f1439fc4417b444873a2bc0a4e091734a644dbad
-
SHA256
87a3f4cb7819deedc56bc77d565b918e7da3cd140757e923affe587dc1e6c677
-
SHA512
9a5350f3c3b2055d8103f309866438e238bc678c90da56b7948696ee96eedb670c2e80b36de1266d1bbb9d3d499c55ab6142d09f41996c4fcd79d53dd844214a
-
SSDEEP
24576:F5s1ovDARFme86bBBBsSdBL5vfkavAd1z5yg66iLsn+vm5Oe/MzVAPuO4DFHgby1:F5s1ovDARFme8iBBBsSdBL5vfkavAd1U
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1672 9e1787fefde22c946238d1e5c4359cd0N.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 9e1787fefde22c946238d1e5c4359cd0N.exe -
Loads dropped DLL 4 IoCs
pid Process 2092 9e1787fefde22c946238d1e5c4359cd0N.exe 472 WerFault.exe 472 WerFault.exe 472 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 472 1672 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e1787fefde22c946238d1e5c4359cd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2092 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1672 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1672 2092 9e1787fefde22c946238d1e5c4359cd0N.exe 32 PID 2092 wrote to memory of 1672 2092 9e1787fefde22c946238d1e5c4359cd0N.exe 32 PID 2092 wrote to memory of 1672 2092 9e1787fefde22c946238d1e5c4359cd0N.exe 32 PID 2092 wrote to memory of 1672 2092 9e1787fefde22c946238d1e5c4359cd0N.exe 32 PID 1672 wrote to memory of 472 1672 9e1787fefde22c946238d1e5c4359cd0N.exe 33 PID 1672 wrote to memory of 472 1672 9e1787fefde22c946238d1e5c4359cd0N.exe 33 PID 1672 wrote to memory of 472 1672 9e1787fefde22c946238d1e5c4359cd0N.exe 33 PID 1672 wrote to memory of 472 1672 9e1787fefde22c946238d1e5c4359cd0N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe"C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exeC:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1443⤵
- Loads dropped DLL
- Program crash
PID:472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5622ff85907c68034a998e1be9271f004
SHA1a3ca62a64d690daab1064e4d61ee579a19299aec
SHA256bbe41570367594902308b8e3748e6ea6e75ef9a95b75ddf8b7feb0e8ec37cc45
SHA512ef5bbe0c090f63cf9338175be896023f208916ab2a8e610d7a9dffabe42227af66fdd58edd486b75b5c22a7e3ad8283f2ff5562305c2dca5e941b501cb5ee4e8