Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
d8ee27d807b9247a948cf6f96a3d8380N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d8ee27d807b9247a948cf6f96a3d8380N.exe
Resource
win10v2004-20240802-en
General
-
Target
d8ee27d807b9247a948cf6f96a3d8380N.exe
-
Size
34KB
-
MD5
d8ee27d807b9247a948cf6f96a3d8380
-
SHA1
58d774a0c61b8cec1b83baf51bfbfe9602a6b580
-
SHA256
be0013dfb5c8a727646f8a90a1bb5a6ac1d487f7d0131080307e22bd8ded5f25
-
SHA512
1f0249d1328252224f6e04a0644cf5cd2b16fe5dbb60d2809b96d540100c544197b3f7005a00ab578edbf2df379433d49f619e549820f29c86c188ac6398fd41
-
SSDEEP
384:MApc8m4e0GvQak4JI341C0abnk6hJPuM2B:MApQr0GvdFJI34qTk6hJPfU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1348 sal.exe -
Loads dropped DLL 2 IoCs
pid Process 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\sal.exe d8ee27d807b9247a948cf6f96a3d8380N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8ee27d807b9247a948cf6f96a3d8380N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1348 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe 30 PID 2156 wrote to memory of 1348 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe 30 PID 2156 wrote to memory of 1348 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe 30 PID 2156 wrote to memory of 1348 2156 d8ee27d807b9247a948cf6f96a3d8380N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ee27d807b9247a948cf6f96a3d8380N.exe"C:\Users\Admin\AppData\Local\Temp\d8ee27d807b9247a948cf6f96a3d8380N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\windows\SysWOW64\sal.exe"C:\windows\system32\sal.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5055fcf231df36bbf07fa18422b5ebedb
SHA17e5f7e3302fa3b0446b5e105e3ef528af00de57c
SHA25656b960fa49858bfa03ca00e5bea45ca55cd28c6c715f581473ca9f3b2fdb5729
SHA51286a59f5e43b4a81645662ea1022beb7265c90dae6c9b802ab08896dbd6e8621e1a9fb2fc0c155779da0d36422bce9ac4831486b58faf1da41aceefb770e9f690