Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 07:58
Static task
static1
Behavioral task
behavioral1
Sample
d20414c0807a9d368b457d2e35e5fb00N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
d20414c0807a9d368b457d2e35e5fb00N.exe
Resource
win10v2004-20240802-en
General
-
Target
d20414c0807a9d368b457d2e35e5fb00N.exe
-
Size
453KB
-
MD5
d20414c0807a9d368b457d2e35e5fb00
-
SHA1
c98f146b3d5737ed81d5a1969c8600e8d1fdf26f
-
SHA256
7a46d837a1b8c92d9d5193a13bb8952edecf331fc0bcb0f2df9946cccabd7f3d
-
SHA512
2c6e60b87fb0ed25db28a63cbf4fa27d5e32b7bfd7c21a4d5895114f00a757d92c14df9eb24d51e15d792757a8646c426ff16ec500531316f26fd22a8a81d024
-
SSDEEP
6144:HZAxR5EDPW+QJXkMlvls8W+9gN3sZ20W7cyqCxSngmMBqfycuPbUl0i5cD5J6b8M:H7P8JTtAxN3gk0npM4dl0v5JHpS0wULW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1704 d20414c0807a9d368b457d2e35e5fb00N.exe -
Executes dropped EXE 1 IoCs
pid Process 1704 d20414c0807a9d368b457d2e35e5fb00N.exe -
Loads dropped DLL 1 IoCs
pid Process 1212 d20414c0807a9d368b457d2e35e5fb00N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d20414c0807a9d368b457d2e35e5fb00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d20414c0807a9d368b457d2e35e5fb00N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1704 d20414c0807a9d368b457d2e35e5fb00N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1212 d20414c0807a9d368b457d2e35e5fb00N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1704 d20414c0807a9d368b457d2e35e5fb00N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1704 1212 d20414c0807a9d368b457d2e35e5fb00N.exe 30 PID 1212 wrote to memory of 1704 1212 d20414c0807a9d368b457d2e35e5fb00N.exe 30 PID 1212 wrote to memory of 1704 1212 d20414c0807a9d368b457d2e35e5fb00N.exe 30 PID 1212 wrote to memory of 1704 1212 d20414c0807a9d368b457d2e35e5fb00N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d20414c0807a9d368b457d2e35e5fb00N.exe"C:\Users\Admin\AppData\Local\Temp\d20414c0807a9d368b457d2e35e5fb00N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\d20414c0807a9d368b457d2e35e5fb00N.exeC:\Users\Admin\AppData\Local\Temp\d20414c0807a9d368b457d2e35e5fb00N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
453KB
MD502a0fd6f1e79c6b774465398a36a6917
SHA19ec67365368e342f156ca7919bf0b01fff1f226c
SHA25609c8f1ba3f033e199c9a4002b51cc61f28b86e8cea8e55e53eace8b1d4bbb7c5
SHA5129d5ec8581d5272be679850e5625d7b5e3c093876b40c5a3aa530efebc423c2877c53870c1b5cccf70828d55d1aa562fbc9d399c2297ca4cc67f1f1f18352b13f