Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Resource
win10v2004-20240802-en
General
-
Target
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
-
Size
16KB
-
MD5
7dd7190f83497758e3b7ca572c20b94b
-
SHA1
bb9a93567d04e2df6365ba8f9f67044ba8941644
-
SHA256
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714
-
SHA512
9398bf3decf0a6f899ada503069e060f03df682b43f4ac56830fed8e63056253d59f94648448076857a0163739d26218dd53b5298e8a52143aa6f2cee8017ea6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8iNJ:hDXWipuE+K3/SSHgxm8iNJ
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2756 DEM8621.exe 2636 DEMDB42.exe 2448 DEM30B1.exe 1912 DEM8611.exe 1948 DEMDBEE.exe 588 DEM312E.exe -
Loads dropped DLL 6 IoCs
pid Process 2972 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 2756 DEM8621.exe 2636 DEMDB42.exe 2448 DEM30B1.exe 1912 DEM8611.exe 1948 DEMDBEE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDBEE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8621.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMDB42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM30B1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8611.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2756 2972 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 32 PID 2972 wrote to memory of 2756 2972 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 32 PID 2972 wrote to memory of 2756 2972 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 32 PID 2972 wrote to memory of 2756 2972 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 32 PID 2756 wrote to memory of 2636 2756 DEM8621.exe 34 PID 2756 wrote to memory of 2636 2756 DEM8621.exe 34 PID 2756 wrote to memory of 2636 2756 DEM8621.exe 34 PID 2756 wrote to memory of 2636 2756 DEM8621.exe 34 PID 2636 wrote to memory of 2448 2636 DEMDB42.exe 36 PID 2636 wrote to memory of 2448 2636 DEMDB42.exe 36 PID 2636 wrote to memory of 2448 2636 DEMDB42.exe 36 PID 2636 wrote to memory of 2448 2636 DEMDB42.exe 36 PID 2448 wrote to memory of 1912 2448 DEM30B1.exe 38 PID 2448 wrote to memory of 1912 2448 DEM30B1.exe 38 PID 2448 wrote to memory of 1912 2448 DEM30B1.exe 38 PID 2448 wrote to memory of 1912 2448 DEM30B1.exe 38 PID 1912 wrote to memory of 1948 1912 DEM8611.exe 40 PID 1912 wrote to memory of 1948 1912 DEM8611.exe 40 PID 1912 wrote to memory of 1948 1912 DEM8611.exe 40 PID 1912 wrote to memory of 1948 1912 DEM8611.exe 40 PID 1948 wrote to memory of 588 1948 DEMDBEE.exe 42 PID 1948 wrote to memory of 588 1948 DEMDBEE.exe 42 PID 1948 wrote to memory of 588 1948 DEMDBEE.exe 42 PID 1948 wrote to memory of 588 1948 DEMDBEE.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\DEM8621.exe"C:\Users\Admin\AppData\Local\Temp\DEM8621.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe"C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\DEM8611.exe"C:\Users\Admin\AppData\Local\Temp\DEM8611.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe"C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\DEM312E.exe"C:\Users\Admin\AppData\Local\Temp\DEM312E.exe"7⤵
- Executes dropped EXE
PID:588
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD596d63b8cd74705bb799de8f2483831db
SHA10b3e9e045de5b9e0266bce4ef52e39cd11fc8ff1
SHA25694c8ac898d7ef4020f2cc9f7df8380df43fa02ba2a4d33ce14ae55dc4608e06c
SHA512e867c11b04750375624a8e040b4bb62b23f0eb663657b55ed7d691253b013c899fc8111ce733e1da87be3d0731225d3f957b10aa4b65e2fef48ee0048c72ee93
-
Filesize
16KB
MD54fae22a8ccfecbcec3ec55108577a54e
SHA1dda04bd83a805ffee961e8ff8741e6fd090cc097
SHA256f7c686f54ef2e87f94770767cace4053bc050c61cc258a087268f269062d2b32
SHA5122f48ecade4302caae3ef9d39ab387e71a9bdd9b963ae9330f5dda7f844805b07c72df4417ea9d29e7d610f7be475a59c1918c52b28cdcd1c9ca9bd33a534c788
-
Filesize
16KB
MD5e8af483e237841356e04ab6a2eafb25b
SHA19604f4ce4d7b94b84039928b99737dfabb62f0f2
SHA256a212cb3e765a306335a1ac0086192b70c08767875092c910bc68c9a628a0e20b
SHA512bb554f0c2c86fc41496e1d993562dfa1dd65247a5eb9cec620e40576a20e1492089484898649ec5a72f62e14b6976c9f9aa3a69d1ddf26587ae1afba943dbbc3
-
Filesize
16KB
MD5e1b04172c282619320530b50842bc311
SHA16e205e4e5b92a36b1df15bedcbd502e0125c72aa
SHA2560bb87ddce03ab001e6a510a8ad088bde1dbe48828d401fe8338f9cd17ca4c4a1
SHA5128e6e008e09ea594b766ae38e817a05a591219ee2c5dc0af7983a1018ebc01696b0fbe79faddd514914f8a29247b4b49b77813eed0820b0aa64cf46c9cf4004c9
-
Filesize
16KB
MD5089cd5f9201d5c8e994e6c0d1cef5248
SHA1032140efed2fc845fc6f13d1dc80e5381bd621cd
SHA256e82632448ae11801fc454f55c712edb6ff8421c94ea6aef7f0e80a0caacff6f8
SHA512901de05ecc00416f9ab2b8d9ca9ca465e9c6588155d93f83764db726054c285b105f605f51082701ce80c056999911aa7b26ab3610d3371673bf15b9ea5ac037
-
Filesize
16KB
MD57db91464bebd461ae0af30d4f64e36d2
SHA11c170838be01c046783785dd59189a8349184998
SHA25626ca0f2ec83aab33a77284ab169e20dd7d076266142ccde75cd350072083cbc9
SHA512cd02d716fbeddbca1f12d5213c4a48e08d75cb6aeb1b4d20dc1348c83beabec52df17525ebf30162cda5b7baf0447728007bc20c84cd467e9963bbdfa96a4684