Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240704-en
General
-
Target
setup.exe
-
Size
1.4MB
-
MD5
706c6bfc8bfc84cff339ad4f1383b5f6
-
SHA1
2bee5db2fc7f4c0cb9657b3c56381edf55f20b9e
-
SHA256
a24bca9187ab78b0e924a7c34e897fbe6410dac464ad5df0f9652339e99328be
-
SHA512
40fde805e9c2f8b4803924cdedf87bbb3deb80143110ca1cbad98648ea511d4e99ac82444ae13a275fe8c36bbfdaef81b2a5e9f55fddb5cecbd66dcfce6a8b90
-
SSDEEP
24576:mbn04bdgOwOvZc+y8UZ3BQ9KtFkva8DgY4bQzy5kafTQUIz:m5ggc+GZ0KsTkxbEy2wTgz
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List remotesetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" remotesetup.exe -
Executes dropped EXE 4 IoCs
pid Process 2880 setup.exe 320 dudu.exe 2600 is-T413B.tmp 2588 remotesetup.exe -
Loads dropped DLL 16 IoCs
pid Process 2152 setup.exe 2880 setup.exe 2152 setup.exe 2880 setup.exe 2880 setup.exe 2152 setup.exe 2880 setup.exe 320 dudu.exe 320 dudu.exe 320 dudu.exe 2600 is-T413B.tmp 2600 is-T413B.tmp 320 dudu.exe 2588 remotesetup.exe 2588 remotesetup.exe 2588 remotesetup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\DDD_Install_Program.job remotesetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-T413B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dudu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remotesetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2600 is-T413B.tmp -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 2880 2152 setup.exe 31 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2152 wrote to memory of 320 2152 setup.exe 32 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 2880 wrote to memory of 2600 2880 setup.exe 33 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34 PID 320 wrote to memory of 2588 320 dudu.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\692bb034-c657-4d9f-ae33-ad095e29596d\setup.exeC:\Users\Admin\AppData\Local\Temp\692bb034-c657-4d9f-ae33-ad095e29596d\setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\is-FKMHM.tmp\is-T413B.tmp"C:\Users\Admin\AppData\Local\Temp\is-FKMHM.tmp\is-T413B.tmp" /SL4 $60124 C:\Users\Admin\AppData\Local\Temp\692bb034-c657-4d9f-ae33-ad095e29596d\setup.exe 812133 506883⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\692bb034-c657-4d9f-ae33-ad095e29596d\dudu.exeC:\Users\Admin\AppData\Local\Temp\692bb034-c657-4d9f-ae33-ad095e29596d\dudu.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\remotesetup.exeC:\Users\Admin\AppData\Local\Temp\remotesetup.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD50b2a860a558ca00e1b4f389b6d8be1e6
SHA15e5a12756446751482d3db2798bd954f2f49ee68
SHA25681db7a9742cb8fb50f7a97a952388cb3f4a1a9d150bc84705f8c2abf2c71dafe
SHA5122210d69d467358c3174bf0685bd6dc1236d56aa9a19246c58931ebf87fe955fb4ed5e9acbb328b1775930e20fa275781c0eb48dd6d943de46ff20dc8fe511147
-
Filesize
1.0MB
MD57b67ad5920fbb521a3931e181b6f09c1
SHA1be2ef6336fffab984588ba5e7c857394445972c2
SHA256a53abdc7b7c7e3200ad96481d6230edc2ef5c37b4c0ae51bdd663a13f5e0f771
SHA512f94fa8e3212ec9a5861772287e17fb76d1030c0127a5de46f0dcfcde1e2457555bb997288305b482dad0d1bdfe63c4312985666fff1540b2fa04291f11b521c3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
572KB
MD5f1f53da4210741290d2a97962ddabd75
SHA177e4197542f8af41415aa6366e3d9690bb5e42fd
SHA2564ddec18e9d8574c76a7e18ca0c9d9b37ff3a13a6f3f3bc50c35508d0c4c83e68
SHA512688db1c87d7b9e83c718d9eebfa78a87a558a02213a9ad6f1e4772ce2532efca2efb7436af0340881f16cad7c80ebd99017eea89322406968db402e95c3169ef
-
Filesize
200KB
MD5431f73f47db54f39affaf01d059ddc19
SHA1494a98579d991201f79bc62138f3614eba7a6bf4
SHA256432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281
SHA51294d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b