Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 06:43
Behavioral task
behavioral1
Sample
5a94bd63f57bec97c51003f347ef5d70N.exe
Resource
win7-20240705-en
General
-
Target
5a94bd63f57bec97c51003f347ef5d70N.exe
-
Size
1003KB
-
MD5
5a94bd63f57bec97c51003f347ef5d70
-
SHA1
c0ad28860a7ad21587d6237c221c07eb9fb63536
-
SHA256
da8dcb598c0f52af571ccee448f54a3b4dcf3bd13df39db80751ef02dc7f4fd8
-
SHA512
0e1219e67fd645bdaac5fe9b7e7d79455478b27f5852416d634b2277f30766818fde11f61f69b7816d240f7595aeb81e7eeeb1e0a2a5765e970cebe233023ef5
-
SSDEEP
24576:Af9Nn/0eyTwFf3HJEuMlSVj21RaBkoXlq:AlV/0fwFf3HJEuMlSVj21RaBkoXl
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2856 5a94bd63f57bec97c51003f347ef5d70N.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 5a94bd63f57bec97c51003f347ef5d70N.exe -
Loads dropped DLL 1 IoCs
pid Process 2488 5a94bd63f57bec97c51003f347ef5d70N.exe -
resource yara_rule behavioral1/memory/2488-9-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x000e00000001224d-11.dat upx behavioral1/memory/2856-18-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 pastebin.com -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a94bd63f57bec97c51003f347ef5d70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a94bd63f57bec97c51003f347ef5d70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2640 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2488 5a94bd63f57bec97c51003f347ef5d70N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2488 5a94bd63f57bec97c51003f347ef5d70N.exe 2856 5a94bd63f57bec97c51003f347ef5d70N.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2856 2488 5a94bd63f57bec97c51003f347ef5d70N.exe 31 PID 2488 wrote to memory of 2856 2488 5a94bd63f57bec97c51003f347ef5d70N.exe 31 PID 2488 wrote to memory of 2856 2488 5a94bd63f57bec97c51003f347ef5d70N.exe 31 PID 2488 wrote to memory of 2856 2488 5a94bd63f57bec97c51003f347ef5d70N.exe 31 PID 2856 wrote to memory of 2640 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 32 PID 2856 wrote to memory of 2640 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 32 PID 2856 wrote to memory of 2640 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 32 PID 2856 wrote to memory of 2640 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 32 PID 2856 wrote to memory of 2960 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 34 PID 2856 wrote to memory of 2960 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 34 PID 2856 wrote to memory of 2960 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 34 PID 2856 wrote to memory of 2960 2856 5a94bd63f57bec97c51003f347ef5d70N.exe 34 PID 2960 wrote to memory of 2744 2960 cmd.exe 36 PID 2960 wrote to memory of 2744 2960 cmd.exe 36 PID 2960 wrote to memory of 2744 2960 cmd.exe 36 PID 2960 wrote to memory of 2744 2960 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe"C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exeC:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe" /TN 4vF3ZT9f5be3 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN 4vF3ZT9f5be3 > C:\Users\Admin\AppData\Local\Temp\sY4U8hP.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN 4vF3ZT9f5be34⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56329188f799f144e92c5f44395872eaa
SHA1aa9c98e45bdd0fb29560094128867afdc53d4c07
SHA256d31e815b4920dbe816c735da94dbd8bbd853d23c43be35c72572f665de00cbdd
SHA512d3637abbc230ce972264283edcc8bedaaafbf6f3ae4a6ba54ba0ffa220b06604da9b010bd61083988cac88ea6a94ddcd725d0f2bd47fc2e76fe5823b742768f0
-
Filesize
1003KB
MD5d1f2034f2ddfcaf3da1f1cd5c76d36dc
SHA1ee2a8e5150f149e6bac2e6e5930801e607c9b79c
SHA256406d98a19d6f94a7c276ab6aff14ff812798d997d78b8678e51f409871c56aaf
SHA5128c4e2460698bb95d66d61947284a8e5b270708f023b7b63a80912c1194fad47fc607f87f941e0c0aa94bb268d07dc2b64484e4487b9da4a7bf8082c0a0d177ff