Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:26
Behavioral task
behavioral1
Sample
7a73923178f3e4bc9eee75f7c2f8a440N.exe
Resource
win7-20240708-en
General
-
Target
7a73923178f3e4bc9eee75f7c2f8a440N.exe
-
Size
584KB
-
MD5
7a73923178f3e4bc9eee75f7c2f8a440
-
SHA1
6da5b9021c582601b81fa165effc454f7d1662f1
-
SHA256
8800197d194bee632da5961314bc57f7a4cb7400274cfc791942fef552c81886
-
SHA512
bc5b7158b6ef87c86fdfbb14be14ae9abfc9513d39d946875cc80d72a73bd70f19707967ab44ef330b5aee4388179476219c767fe1f512b44bbbfdde0f0be59e
-
SSDEEP
12288:mplrVbDdQaqdS/ofraFErH8uB2Wm0SXser5FU:CxRQ+Fucuvm0as
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2712 Internals.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe -
resource yara_rule behavioral1/memory/2228-0-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral1/files/0x0011000000016d56-7.dat upx behavioral1/memory/2712-10-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral1/memory/2228-11-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral1/memory/2712-12-0x0000000000400000-0x0000000000575000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Debugging\Internals.exe 7a73923178f3e4bc9eee75f7c2f8a440N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a73923178f3e4bc9eee75f7c2f8a440N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Internals.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2712 Internals.exe 2712 Internals.exe 2712 Internals.exe 2712 Internals.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2712 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 30 PID 2228 wrote to memory of 2712 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 30 PID 2228 wrote to memory of 2712 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 30 PID 2228 wrote to memory of 2712 2228 7a73923178f3e4bc9eee75f7c2f8a440N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a73923178f3e4bc9eee75f7c2f8a440N.exe"C:\Users\Admin\AppData\Local\Temp\7a73923178f3e4bc9eee75f7c2f8a440N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Program Files\Debugging\Internals.exe"C:\Program Files\Debugging\Internals.exe" "33201"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD5448173a76c55c77e899e1d555b80e999
SHA1c933e71a79403f5d4c4c4f527ad07fe75edc82d0
SHA256a1899367b0d2080c16d972f8b37fd13401554ca0a8cc32b64eee09b745c6c27e
SHA512c15805752b516d4c483d93e7f15a83e1d57b01222687e8279751200440835f740770d873cf031b24d62264be9b455b4037d5a77b901ed937845cf3f0fa906303