Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
Resource
win10v2004-20240802-en
General
-
Target
56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
-
Size
9.7MB
-
MD5
b962e0d15ff53f01eabe7008c4386f9d
-
SHA1
bcfa0c259a03c5c14aeea3a7c0a032db45f1025b
-
SHA256
56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9
-
SHA512
ec796fa60b22d5a47581990eae38660b0bbf9d4a89005488dc155376367db000fedff53a38937cf5cf9df7abc1acb93e141bb7c106b895e7c300f6ff0be67753
-
SSDEEP
196608:u9iHfdAiSkhVB8H9OxvsByWG2xxcKIgJlKIpJU2DtUGteFpXR7th:8i/dD5V6dOCyWG2NIgJ5pJdDtUGUrXRr
Malware Config
Signatures
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1624 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1624 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 30 PID 2368 wrote to memory of 1624 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 30 PID 2368 wrote to memory of 1624 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 30 PID 2368 wrote to memory of 1624 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 30 PID 2368 wrote to memory of 2092 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 32 PID 2368 wrote to memory of 2092 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 32 PID 2368 wrote to memory of 2092 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 32 PID 2368 wrote to memory of 2092 2368 56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe 32 PID 2092 wrote to memory of 2808 2092 net.exe 34 PID 2092 wrote to memory of 2808 2092 net.exe 34 PID 2092 wrote to memory of 2808 2092 net.exe 34 PID 2092 wrote to memory of 2808 2092 net.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe"C:\Users\Admin\AppData\Local\Temp\56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config UxSms start= auto2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start UxSms2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start UxSms3⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
613B
MD528eb493b34b8aa6ed4b56d8a86cba55c
SHA1d7ce46dd6427e74af8fd1f5f6fed86ad6d059edb
SHA25607480d679ea0dfe190484fbe4bbc12f63105a07668940a031f16e610e8cebd57
SHA512ecb6c331d407419bcf0c1a0b3d65f17973da9d7471e355b7dfb9048021e383f1d4622139a2cf2d762edc3ce28c968cecdb41cdd453c4a678f56a8bde4295a186
-
Filesize
1KB
MD5ad0dcb4d09c41d0ec734259a0bb1dba0
SHA1b1871551fdeeac20762a66ddeffe22fd1fe6fb73
SHA25670570d544fcc6bac198358bc987c9fe249e69880a55e74b5f4fe575fb92e02ea
SHA5123b66b9a8716d7efc463ec69dd4321471099ee7724c7cb55ed1b0c8e2e74e255a8823230e70a0bed4187bba86cbd8d60e74dff1745fc784f4086116bfe5b3eab0