Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:26
Behavioral task
behavioral1
Sample
7a73923178f3e4bc9eee75f7c2f8a440N.exe
Resource
win7-20240708-en
General
-
Target
7a73923178f3e4bc9eee75f7c2f8a440N.exe
-
Size
584KB
-
MD5
7a73923178f3e4bc9eee75f7c2f8a440
-
SHA1
6da5b9021c582601b81fa165effc454f7d1662f1
-
SHA256
8800197d194bee632da5961314bc57f7a4cb7400274cfc791942fef552c81886
-
SHA512
bc5b7158b6ef87c86fdfbb14be14ae9abfc9513d39d946875cc80d72a73bd70f19707967ab44ef330b5aee4388179476219c767fe1f512b44bbbfdde0f0be59e
-
SSDEEP
12288:mplrVbDdQaqdS/ofraFErH8uB2Wm0SXser5FU:CxRQ+Fucuvm0as
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1736 Internals.exe -
resource yara_rule behavioral2/memory/2124-0-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral2/files/0x0008000000023478-3.dat upx behavioral2/memory/1736-5-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral2/memory/2124-6-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral2/memory/1736-7-0x0000000000400000-0x0000000000575000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Debugging\Internals.exe 7a73923178f3e4bc9eee75f7c2f8a440N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a73923178f3e4bc9eee75f7c2f8a440N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Internals.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 1736 Internals.exe 1736 Internals.exe 1736 Internals.exe 1736 Internals.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1736 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 84 PID 2124 wrote to memory of 1736 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 84 PID 2124 wrote to memory of 1736 2124 7a73923178f3e4bc9eee75f7c2f8a440N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a73923178f3e4bc9eee75f7c2f8a440N.exe"C:\Users\Admin\AppData\Local\Temp\7a73923178f3e4bc9eee75f7c2f8a440N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files\Debugging\Internals.exe"C:\Program Files\Debugging\Internals.exe" "33201"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD5927cbb536f0d2ba15902d6158042aaf2
SHA1e3f9c7a6a25d72a9bb9a58b5129a9bce66d4a1ec
SHA256e4cf94a4c455825034b5780ee2ce011acfac6703a172fd6ce19d7fa1359964b1
SHA5121bad5a749c6558c18996905bc6c54168bf80d07dac813abc5bf09dc79d202b16f2cf0515fff01a3724b88fe68c78aa99cf56061874f3230cf8a9db1c691d4027