Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
Resource
win10v2004-20240802-en
General
-
Target
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
-
Size
36KB
-
MD5
dc8c3a3c9dfa7e4144e6ba88c42a6c30
-
SHA1
8e90cd92aa6073726e72d15e53efc6b677fb4470
-
SHA256
c8c906a1b261efbca2f192c7dcdcbe73d17b5cfc5c5205713243176b05b1f3cf
-
SHA512
eb2d33b410db3a44152001509a1dc9fe589bedec0aad7791dd39ba0b0d74b8a54e03f2d3450610d2fefc00c5764cf7d2610f75b792a49941b28c0498843a50bb
-
SSDEEP
384:KrxUgySC4zdy4OyzLeReRcnnX7pi608SO2/yO5YsTg8ULbkVq+kwu2uPs5VlHxkz:ek6zdTiLLpTSOYyYY47UhtPsDxxyqg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\wercplsupport = "C:\\Users\\Admin\\AppData\\Local\\wercplsupport.exe" regedit.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2868 regedit.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30 PID 2420 wrote to memory of 2868 2420 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe"C:\Users\Admin\AppData\Local\Temp\dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD5b2cff41e4bc737ade8796eb57ae42f49
SHA1eb783727da7a62d1ebbe362a0eb0a908f872812d
SHA256c2db2c31adfd0b621a5db6ea29ac03b71f4fbf36c54f3e501a49dfb371ac6f83
SHA512772528de87cea33700c583050ef6025e432486edc92f71cd8d862af1d61a5770c1c7c85cf62f6f6bdd53715fd225631f50faea1c933bfb4ed50c028d07df4ebf
-
Filesize
36KB
MD55ccc57e8e69e9039000a7f6dcf29c4f2
SHA151700281f34a0c216bccb8e53db094ffac3518ca
SHA256e8c7290ac70b02c43c831203e79c270cff07e575d817bc9c45d0286c695c823f
SHA51250a51bf141b1c5a64e2bdb5085fcb3b9e74d57bf5abfa1d17b9378e55d163232aff5b0d22ef5bbf9c229d9dd7ba68ee7d00e3d4f6c2bd6b760ade43fa54d7649