Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
General
-
Target
file.exe
-
Size
13.1MB
-
MD5
364045dcd335ffd17f48a8cf5f816a01
-
SHA1
e9484d6300ce1d921c70ba7c08d4bb5b79f7a8c3
-
SHA256
dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b
-
SHA512
84b719101392c9dc6fc0d0665dd5fdca2627d2f302402bc2d475a4a9fc398acd2f8384c8d3b7a5a4e012b9007a3256557a957da75948b6cff07a0ceda69b2013
-
SSDEEP
196608:t1cCA+KNn9QK7FQZDJLla35CKFdu9CwJsv6t0KAnag:t1cDPQca1JA3YKFdu9CwJsv6ti1
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\CPU-Z\cpu-z.exe file.exe -
Executes dropped EXE 2 IoCs
pid Process 1572 cpu-z.exe 2896 cpu-z.tmp -
Loads dropped DLL 2 IoCs
pid Process 1612 file.exe 1572 cpu-z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpu-z.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpu-z.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1604 file.exe 1612 file.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1612 1604 file.exe 28 PID 1604 wrote to memory of 1612 1604 file.exe 28 PID 1604 wrote to memory of 1612 1604 file.exe 28 PID 1604 wrote to memory of 1612 1604 file.exe 28 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1612 wrote to memory of 1572 1612 file.exe 29 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30 PID 1572 wrote to memory of 2896 1572 cpu-z.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" -kross2⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Program Files (x86)\CPU-Z\cpu-z.exe"C:\Program Files (x86)\CPU-Z\cpu-z.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\is-02FJP.tmp\cpu-z.tmp"C:\Users\Admin\AppData\Local\Temp\is-02FJP.tmp\cpu-z.tmp" /SL5="$401CC,1839111,58368,C:\Program Files (x86)\CPU-Z\cpu-z.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5da384563c4cf8f233e4c3efce5f63b7a
SHA1d08290a7324b31da38b2142d7f96a671a12c481e
SHA2567d3d1df736ca8aa96edcf37ffa3d0c992f5c2015cf2aef8c805c02729e87161f
SHA5127651b20a5d3dff7e749300d367d3f88e69e20892580aeff52f934d07c3db6dc72b00729a35ce44592fcd9c359a813d2448daae6fd91c610f2f34ed59435b89f1
-
Filesize
702KB
MD51afbd25db5c9a90fe05309f7c4fbcf09
SHA1baf330b5c249ca925b4ea19a52fe8b2c27e547fa
SHA2563bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c
SHA5123a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419