Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
615ce9f0ef381665d5fa6c92d8ac4000N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
615ce9f0ef381665d5fa6c92d8ac4000N.exe
Resource
win10v2004-20240802-en
General
-
Target
615ce9f0ef381665d5fa6c92d8ac4000N.exe
-
Size
218KB
-
MD5
615ce9f0ef381665d5fa6c92d8ac4000
-
SHA1
08f7f66ef855115c95fa67c78cadcc6a777f20aa
-
SHA256
c24e25506ba4402e02702e792e73468c70794b70ab5dd5ea28b97aa2c7ae2434
-
SHA512
347159cbaaf168feb9f3194f0ba02bab57f60dbd1c1a84c334e39657c2ce6bf6250a47ca88af33e476df89a908ff165f87c9ba4f9f8378b06c9dd7c462b0050a
-
SSDEEP
6144:xD5njsi/RluoQDOIsm0Bd85fwbNX9aLisM+Nea:xD5526IsNUIX9aLisvNea
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2780 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
Executes dropped EXE 1 IoCs
pid Process 2780 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
Loads dropped DLL 1 IoCs
pid Process 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2780 615ce9f0ef381665d5fa6c92d8ac4000N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2780 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe 31 PID 2340 wrote to memory of 2780 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe 31 PID 2340 wrote to memory of 2780 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe 31 PID 2340 wrote to memory of 2780 2340 615ce9f0ef381665d5fa6c92d8ac4000N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe"C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exeC:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5126c0bfb1aa88cb8aade598f0535c268
SHA17f06f74a75ef42305173eb00900109ed4b58eab0
SHA256611db7f82c36dbcc33b6cbd4ae8db65020b6bdbb5ddca2d0dafb4a81e947a6a9
SHA512a61d3c3bc0c1d7ecfa751ccc6c17f1f7dcdf0e5f1c553cebbfa5382bdd77e40834f699722e960a5c5e32e609acff62c6f8fb3c78069f68588143d5657121936c