Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 00:44

General

  • Target

    29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe

  • Size

    16KB

  • MD5

    7dd7190f83497758e3b7ca572c20b94b

  • SHA1

    bb9a93567d04e2df6365ba8f9f67044ba8941644

  • SHA256

    29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714

  • SHA512

    9398bf3decf0a6f899ada503069e060f03df682b43f4ac56830fed8e63056253d59f94648448076857a0163739d26218dd53b5298e8a52143aa6f2cee8017ea6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8iNJ:hDXWipuE+K3/SSHgxm8iNJ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
    "C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\DEM8621.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8621.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Users\Admin\AppData\Local\Temp\DEM8611.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM8611.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1948
              • C:\Users\Admin\AppData\Local\Temp\DEM312E.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM312E.exe"
                7⤵
                • Executes dropped EXE
                PID:588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM312E.exe

    Filesize

    16KB

    MD5

    96d63b8cd74705bb799de8f2483831db

    SHA1

    0b3e9e045de5b9e0266bce4ef52e39cd11fc8ff1

    SHA256

    94c8ac898d7ef4020f2cc9f7df8380df43fa02ba2a4d33ce14ae55dc4608e06c

    SHA512

    e867c11b04750375624a8e040b4bb62b23f0eb663657b55ed7d691253b013c899fc8111ce733e1da87be3d0731225d3f957b10aa4b65e2fef48ee0048c72ee93

  • C:\Users\Admin\AppData\Local\Temp\DEM8611.exe

    Filesize

    16KB

    MD5

    4fae22a8ccfecbcec3ec55108577a54e

    SHA1

    dda04bd83a805ffee961e8ff8741e6fd090cc097

    SHA256

    f7c686f54ef2e87f94770767cace4053bc050c61cc258a087268f269062d2b32

    SHA512

    2f48ecade4302caae3ef9d39ab387e71a9bdd9b963ae9330f5dda7f844805b07c72df4417ea9d29e7d610f7be475a59c1918c52b28cdcd1c9ca9bd33a534c788

  • C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe

    Filesize

    16KB

    MD5

    e8af483e237841356e04ab6a2eafb25b

    SHA1

    9604f4ce4d7b94b84039928b99737dfabb62f0f2

    SHA256

    a212cb3e765a306335a1ac0086192b70c08767875092c910bc68c9a628a0e20b

    SHA512

    bb554f0c2c86fc41496e1d993562dfa1dd65247a5eb9cec620e40576a20e1492089484898649ec5a72f62e14b6976c9f9aa3a69d1ddf26587ae1afba943dbbc3

  • \Users\Admin\AppData\Local\Temp\DEM30B1.exe

    Filesize

    16KB

    MD5

    e1b04172c282619320530b50842bc311

    SHA1

    6e205e4e5b92a36b1df15bedcbd502e0125c72aa

    SHA256

    0bb87ddce03ab001e6a510a8ad088bde1dbe48828d401fe8338f9cd17ca4c4a1

    SHA512

    8e6e008e09ea594b766ae38e817a05a591219ee2c5dc0af7983a1018ebc01696b0fbe79faddd514914f8a29247b4b49b77813eed0820b0aa64cf46c9cf4004c9

  • \Users\Admin\AppData\Local\Temp\DEM8621.exe

    Filesize

    16KB

    MD5

    089cd5f9201d5c8e994e6c0d1cef5248

    SHA1

    032140efed2fc845fc6f13d1dc80e5381bd621cd

    SHA256

    e82632448ae11801fc454f55c712edb6ff8421c94ea6aef7f0e80a0caacff6f8

    SHA512

    901de05ecc00416f9ab2b8d9ca9ca465e9c6588155d93f83764db726054c285b105f605f51082701ce80c056999911aa7b26ab3610d3371673bf15b9ea5ac037

  • \Users\Admin\AppData\Local\Temp\DEMDBEE.exe

    Filesize

    16KB

    MD5

    7db91464bebd461ae0af30d4f64e36d2

    SHA1

    1c170838be01c046783785dd59189a8349184998

    SHA256

    26ca0f2ec83aab33a77284ab169e20dd7d076266142ccde75cd350072083cbc9

    SHA512

    cd02d716fbeddbca1f12d5213c4a48e08d75cb6aeb1b4d20dc1348c83beabec52df17525ebf30162cda5b7baf0447728007bc20c84cd467e9963bbdfa96a4684