Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
c6ae6cee842c6c70865f2c8b00a8faa0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c6ae6cee842c6c70865f2c8b00a8faa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
c6ae6cee842c6c70865f2c8b00a8faa0N.exe
-
Size
4.4MB
-
MD5
c6ae6cee842c6c70865f2c8b00a8faa0
-
SHA1
eddab94d7403bbf9a2183861788e1a441ffc75eb
-
SHA256
e83e61152c7dbaeab7b506a8b6efca7b610a4de6f2566bed01900c95dc74d1c1
-
SHA512
11eaf66953f8f87978ef613bf3de5b5107c794a2a977468f167d644469e4da34f722a868301b7689d72996cbab59a30a718263d14dc1b0ef29f786288a8e3ac0
-
SSDEEP
98304:emhd1Urye32TfQpiAw6niRU3pcZl/SV7wQqZUha5jtSn:elX2TfQpiAw6n2U3p52QbaZte
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2396 9119.tmp -
Executes dropped EXE 1 IoCs
pid Process 2396 9119.tmp -
Loads dropped DLL 2 IoCs
pid Process 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6ae6cee842c6c70865f2c8b00a8faa0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2396 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe 30 PID 2160 wrote to memory of 2396 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe 30 PID 2160 wrote to memory of 2396 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe 30 PID 2160 wrote to memory of 2396 2160 c6ae6cee842c6c70865f2c8b00a8faa0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe"C:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\9119.tmp"C:\Users\Admin\AppData\Local\Temp\9119.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe 6380E2954ADECE99B1246794C580A0D59ABDEDCF9256FAC695758B1493CB319062CD34C227CCACE9BB32AA4F1D0AFB84CE2AAFE3EFDE45870D6B0EC7A44A36BE2⤵
- Deletes itself
- Executes dropped EXE
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD550396e261bda8e4d13e572496945248e
SHA114caca530015961824120846cfbc2d16229ba102
SHA256fc74f62c13c716a271c91987bea8906640fa66492e9c9142e60a5415a24b8a28
SHA5128346553c8ac29ccdeedd6c4a8d2395b3b0912e1c8b979127e68afeec9cc14c6b6ed2a36eadff5020fb2116d34227f91cc6585926a5504310594ca89fab8cf1e8