Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
a9e4ef6504c168c3834bb554ddbaf8f0N.exe
-
Size
372KB
-
MD5
a9e4ef6504c168c3834bb554ddbaf8f0
-
SHA1
57047ef52fa004baa8d4245311c3212a2ffd0964
-
SHA256
fbf826265e7f0a4d6b3db01f4ff96b30183e93bab1d6226df01b1becdddf70eb
-
SHA512
14aaf09d234e2bba07330b4a700ee9b7dc4facf616dccf4390f574dfcd06949b1aec12d45e9c7ae8718d1512250d9589e5ee58e4c755816aebcdb21807126c6a
-
SSDEEP
6144:BkLYyvZFsjpHQvXrlHyJzVJot3aERiLTwEYYs1Z:BkLYyourOWaE0TGY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2832 sysctl.exe -
Loads dropped DLL 5 IoCs
pid Process 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 2240 WerFault.exe 2240 WerFault.exe 2240 WerFault.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a9e4ef6504c168c3834bb554ddbaf8f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*" a9e4ef6504c168c3834bb554ddbaf8f0N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysctl.exe = "C:\\Windows\\system32\\sysctl.exe" a9e4ef6504c168c3834bb554ddbaf8f0N.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\realex.exe a9e4ef6504c168c3834bb554ddbaf8f0N.exe File created C:\Windows\SysWOW64\sysctl.exe a9e4ef6504c168c3834bb554ddbaf8f0N.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2240 2832 WerFault.exe 30 3024 2688 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9e4ef6504c168c3834bb554ddbaf8f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysctl.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a9e4ef6504c168c3834bb554ddbaf8f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*" a9e4ef6504c168c3834bb554ddbaf8f0N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2832 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 30 PID 2688 wrote to memory of 2832 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 30 PID 2688 wrote to memory of 2832 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 30 PID 2688 wrote to memory of 2832 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 30 PID 2832 wrote to memory of 2240 2832 sysctl.exe 31 PID 2832 wrote to memory of 2240 2832 sysctl.exe 31 PID 2832 wrote to memory of 2240 2832 sysctl.exe 31 PID 2832 wrote to memory of 2240 2832 sysctl.exe 31 PID 2688 wrote to memory of 3024 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 32 PID 2688 wrote to memory of 3024 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 32 PID 2688 wrote to memory of 3024 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 32 PID 2688 wrote to memory of 3024 2688 a9e4ef6504c168c3834bb554ddbaf8f0N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e4ef6504c168c3834bb554ddbaf8f0N.exe"C:\Users\Admin\AppData\Local\Temp\a9e4ef6504c168c3834bb554ddbaf8f0N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\sysctl.exeC:\Windows\system32\sysctl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1843⤵
- Loads dropped DLL
- Program crash
PID:2240
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1922⤵
- Program crash
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD585e113f768612bb207ce07add5a50a72
SHA1edf10c7691aea1fae93574dab6ba45329962b7ce
SHA2562b28e67b3462474ada96bc522fc466f9c81b27360b861a16d76d981c66b7a02b
SHA5127b3533dfaf035997c23cd4358ed7bedc0850b24d4965c1dcc4ad9696588d257de412cdc473c0116162d772f8936a5b1f678432f949a758395f58632473086e58