Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Resource
win10v2004-20240802-en
General
-
Target
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
-
Size
2.7MB
-
MD5
ac3ab242cda9abd60b9b5bce92c201c0
-
SHA1
ad05cec66b8471ba6fad3afb7a2dc16215000555
-
SHA256
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41
-
SHA512
4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113
-
SSDEEP
49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2824 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 Arleen Rosalinda.exe -
Loads dropped DLL 6 IoCs
pid Process 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2640 2160 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Arleen Rosalinda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2824 cmd.exe 3052 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3052 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 2160 Arleen Rosalinda.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe Token: SeIncBasePriorityPrivilege 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe Token: SeDebugPrivilege 2160 Arleen Rosalinda.exe Token: SeIncBasePriorityPrivilege 2160 Arleen Rosalinda.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2160 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 31 PID 2516 wrote to memory of 2160 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 31 PID 2516 wrote to memory of 2160 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 31 PID 2516 wrote to memory of 2160 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 31 PID 2516 wrote to memory of 2824 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 32 PID 2516 wrote to memory of 2824 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 32 PID 2516 wrote to memory of 2824 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 32 PID 2516 wrote to memory of 2824 2516 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 32 PID 2824 wrote to memory of 3052 2824 cmd.exe 34 PID 2824 wrote to memory of 3052 2824 cmd.exe 34 PID 2824 wrote to memory of 3052 2824 cmd.exe 34 PID 2824 wrote to memory of 3052 2824 cmd.exe 34 PID 2160 wrote to memory of 2640 2160 Arleen Rosalinda.exe 35 PID 2160 wrote to memory of 2640 2160 Arleen Rosalinda.exe 35 PID 2160 wrote to memory of 2640 2160 Arleen Rosalinda.exe 35 PID 2160 wrote to memory of 2640 2160 Arleen Rosalinda.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe"C:\Users\Admin\AppData\Local\Temp\Arleen Rosalinda.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 8483⤵
- Loads dropped DLL
- Program crash
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ea2bf0f98e449a2c59dff1f9fb09af97
SHA153cbbfd14a001acea01c7238889ae85655f53916
SHA256816e85cc6582042f1474be9825bb38ec7d861ed77302e54240f718a71ede9b4f
SHA512fa9424728ce18b1beaf967853d1aa6ed98b67e42f9ba1f8ea94ee1a4133ea125c277366ad532ddc652a468991c1bb9a380eed42a02476f07b60cc16a0e31dab6
-
Filesize
2.7MB
MD5c030475d0b475bb229d909ec7f2453ff
SHA1cb4faf1181ee06447eed1c23fe59f16fe4d241d6
SHA256081087f86099e6b85f57a4a7f71d355d6be40155c770f5bdee7fc86662b22454
SHA5129683eaf0c00482fdfc05d2623f5ae23427a4934bc5b4e24a820484491fdfe279f6a0183cba957f1564d62c792975bf279f837914554e93ca0f3cc612f4dde9d3