Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28/08/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
Resource
win7-20240705-en
General
-
Target
e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe
-
Size
6.4MB
-
MD5
3e129091f24edf63142c709688a82aa9
-
SHA1
91b82ce9e53773c76e3aa6929c442f6b260810b6
-
SHA256
e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32
-
SHA512
d5439b173ef77db597539f18b7ee6815cf48cf0f4b1e359b042e6e224306c5a07c8586a282e7a1c3c996bf316e721ee4631f4d2e1c37f81e51876e5fb571dc6f
-
SSDEEP
196608:zhxRPAu3seOhqXP3KtBllnyB/lV9kLIVec0e/TCdnZ56Ac:tzPIhwXP6tBl6/lsLPc/ynZ56Ac
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00090000000120fa-8.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe -
resource yara_rule behavioral1/memory/1896-0-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/1896-2-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/1896-10-0x00000000056F0000-0x000000000578F000-memory.dmp upx behavioral1/files/0x00090000000120fa-8.dat upx behavioral1/memory/1896-40-0x00000000056F0000-0x000000000578F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1896 wrote to memory of 2224 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 29 PID 1896 wrote to memory of 2224 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 29 PID 1896 wrote to memory of 2224 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 29 PID 1896 wrote to memory of 2224 1896 e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe"C:\Users\Admin\AppData\Local\Temp\e8594125efe511677caed45e2fac565d0d7d5722f793c563ab88513d4b745e32.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cacls.execacls "" /e /p everyone:n2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e4d15adb53f915ec9d8eb01498a13fd5
SHA1e1b803a091773c1b604252903a7240720de93dc1
SHA2563d37404c803e12094dd5f0399fbd81c600873a94e8f88268386aca2e010c13e7
SHA512c52c8234ef79ba4c2904dd36a3689431ff2c3a13e583399ad6bb69994b4b0af33cb56ab71a1a48a2671c0272448c2b1f4fe5cb24b1d56c20bc6a08c0b76d0c8f
-
Filesize
233KB
MD5ea3df059beae86a3e186b2b179755e77
SHA1babdcd6b5082c02fa2f5ebc2020f2cb3bbd77e8d
SHA2561ab68a0c296281437fe638c8535309c6241ded4852608d940f5efcb8cc2d91a6
SHA5121406d8083cfbd26e18aba74f6b45a09137bb3960f7afce5c5d0d790b0edb7277b7b885ed2ded9def12b667bcb37cbfb335884b2d7b8f08565743b674d1f053bb