Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
296eb4714d924d2fbc8cf2efd7065b00N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
296eb4714d924d2fbc8cf2efd7065b00N.exe
Resource
win10v2004-20240802-en
General
-
Target
296eb4714d924d2fbc8cf2efd7065b00N.exe
-
Size
391KB
-
MD5
296eb4714d924d2fbc8cf2efd7065b00
-
SHA1
f69689430f7ef9fd4d3a91ba619567d3ed413f14
-
SHA256
ca7ca3f559dd77cbdf1dc1f78e197370834f8a1dd61d9e184e057b8d7b832dde
-
SHA512
ea07e4c8a41b7b39c91646a51011e939c0c65e9ec8bde77f740458feb523363c98d9e01f1f58c43b3e20e36cac8aa6399974f17090ec0a933421000375c8e502
-
SSDEEP
12288:HFNVVPc1T9n6EvoKlSql4ejAAWxe1X7BMPpqeepz4eeriD:HFkZ6EvoKlSql4ejrWx4X7BMPpqeepzN
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2436 296eb4714d924d2fbc8cf2efd7065b00N.exe -
Executes dropped EXE 1 IoCs
pid Process 2436 296eb4714d924d2fbc8cf2efd7065b00N.exe -
Loads dropped DLL 1 IoCs
pid Process 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 296eb4714d924d2fbc8cf2efd7065b00N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2436 296eb4714d924d2fbc8cf2efd7065b00N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2436 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe 32 PID 1964 wrote to memory of 2436 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe 32 PID 1964 wrote to memory of 2436 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe 32 PID 1964 wrote to memory of 2436 1964 296eb4714d924d2fbc8cf2efd7065b00N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\296eb4714d924d2fbc8cf2efd7065b00N.exe"C:\Users\Admin\AppData\Local\Temp\296eb4714d924d2fbc8cf2efd7065b00N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\296eb4714d924d2fbc8cf2efd7065b00N.exeC:\Users\Admin\AppData\Local\Temp\296eb4714d924d2fbc8cf2efd7065b00N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5c12aa88c044dee314ac111a595191f5f
SHA1a3cbb9f7fb74785faef756bb28f5daee34739bdf
SHA25616a48ecde4d531b46bc056be7eefe4344e3629a5627ca5e3f0c55a2a75c1fa1c
SHA512731bec4db5fa14a83a60af2533c84ed3e6d398bc195bf119b5b5e2e0f9dc614e3989106bc5f52870a08c4386ef43bf349eba7fb6eb2fab1be8f1df8a80d87557