Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Resource
win10v2004-20240802-en
General
-
Target
c44ecfa7bf8a1be3eb806dc600db3c50N.exe
-
Size
709KB
-
MD5
c44ecfa7bf8a1be3eb806dc600db3c50
-
SHA1
a0985c9831880de3b97cb972b2eca1844973412c
-
SHA256
5543d593c77de530e29fe0ec48a0ac4a4f797186165928b8ac50fb971f66d878
-
SHA512
a68f01887540c771ff87c2605223c8fcf59668d3ee590f21715c5a90a060432f6bd3a38021a5e05b6190a3098ad8515ecd3ac123f5730d949d9068e1d98003aa
-
SSDEEP
3072:rntwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5weJn4T+B8bw:rNuj8NDF3OR9/Qe2HdJ8pSLF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2928 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2952 casino_extensions.exe 2780 LiveMessageCenter.exe 2640 casino_extensions.exe -
Loads dropped DLL 6 IoCs
pid Process 2716 casino_extensions.exe 2716 casino_extensions.exe 480 casino_extensions.exe 480 casino_extensions.exe 2868 casino_extensions.exe 2868 casino_extensions.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LiveMessageCenter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c44ecfa7bf8a1be3eb806dc600db3c50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casino_extensions.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2780 LiveMessageCenter.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2304 c44ecfa7bf8a1be3eb806dc600db3c50N.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2716 2304 c44ecfa7bf8a1be3eb806dc600db3c50N.exe 29 PID 2304 wrote to memory of 2716 2304 c44ecfa7bf8a1be3eb806dc600db3c50N.exe 29 PID 2304 wrote to memory of 2716 2304 c44ecfa7bf8a1be3eb806dc600db3c50N.exe 29 PID 2304 wrote to memory of 2716 2304 c44ecfa7bf8a1be3eb806dc600db3c50N.exe 29 PID 2716 wrote to memory of 2952 2716 casino_extensions.exe 30 PID 2716 wrote to memory of 2952 2716 casino_extensions.exe 30 PID 2716 wrote to memory of 2952 2716 casino_extensions.exe 30 PID 2716 wrote to memory of 2952 2716 casino_extensions.exe 30 PID 2952 wrote to memory of 480 2952 casino_extensions.exe 31 PID 2952 wrote to memory of 480 2952 casino_extensions.exe 31 PID 2952 wrote to memory of 480 2952 casino_extensions.exe 31 PID 2952 wrote to memory of 480 2952 casino_extensions.exe 31 PID 480 wrote to memory of 2780 480 casino_extensions.exe 32 PID 480 wrote to memory of 2780 480 casino_extensions.exe 32 PID 480 wrote to memory of 2780 480 casino_extensions.exe 32 PID 480 wrote to memory of 2780 480 casino_extensions.exe 32 PID 2780 wrote to memory of 2868 2780 LiveMessageCenter.exe 33 PID 2780 wrote to memory of 2868 2780 LiveMessageCenter.exe 33 PID 2780 wrote to memory of 2868 2780 LiveMessageCenter.exe 33 PID 2780 wrote to memory of 2868 2780 LiveMessageCenter.exe 33 PID 2868 wrote to memory of 2640 2868 casino_extensions.exe 34 PID 2868 wrote to memory of 2640 2868 casino_extensions.exe 34 PID 2868 wrote to memory of 2640 2868 casino_extensions.exe 34 PID 2868 wrote to memory of 2640 2868 casino_extensions.exe 34 PID 2640 wrote to memory of 3040 2640 casino_extensions.exe 35 PID 2640 wrote to memory of 3040 2640 casino_extensions.exe 35 PID 2640 wrote to memory of 3040 2640 casino_extensions.exe 35 PID 2640 wrote to memory of 3040 2640 casino_extensions.exe 35 PID 3040 wrote to memory of 2928 3040 casino_extensions.exe 36 PID 3040 wrote to memory of 2928 3040 casino_extensions.exe 36 PID 3040 wrote to memory of 2928 3040 casino_extensions.exe 36 PID 3040 wrote to memory of 2928 3040 casino_extensions.exe 36 PID 2868 wrote to memory of 2796 2868 casino_extensions.exe 37 PID 2868 wrote to memory of 2796 2868 casino_extensions.exe 37 PID 2868 wrote to memory of 2796 2868 casino_extensions.exe 37 PID 2868 wrote to memory of 2796 2868 casino_extensions.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe"C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe /part25⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"8⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c $$2028~1.BAT9⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c $$2028~1.BAT7⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
715KB
MD54c32dc8f8e066185bf4c6619260ef142
SHA15fddefc902976785fb0433eccf9d7930fbcfe5ed
SHA25618b7ef2d12c0f54eae170f17c464c10b55bbb0646c2691532213ae910b800749
SHA512b6a53565cd7340e7d83b86976fc9a2757839ba8285488b231021b81b649fb3923c3716ac5960129466c798db1fd6d8db0adaca7e0ddfc8ecff596f3f207c5f36
-
Filesize
724KB
MD58e0ae2cca659f59f1ab7ff191767aed8
SHA13cc51c1d08b70d4e127a62d8bbb8df55ebeb0e5d
SHA2561ebb2a1332916c1dd2e7bac023ed606d29cf503a2011a8fb4966ee1a1ae4ceae
SHA5121f8a15afc2af1e7b84675a33d9353145c4ed25698da355fc72d1bba2925563eb90450e02a59bb7f129c7414983703cb8bf7c0dcbe1d714ee4374e23ac4466fdb