Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
Resource
win10v2004-20240802-en
General
-
Target
36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
-
Size
1.9MB
-
MD5
786b61f13137975aac320352ac1da101
-
SHA1
ecd5117bd0da34138951c3008a295963c90cf2f0
-
SHA256
36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71
-
SHA512
48600b23dc5e0afff65f7d34e5a8c90d67c9f6b7a45a1b1b85f7042325c9a45058258cdaaf4d0c89343a4e628f136e240b5b6fc9477c142b149a785a8ba19cc6
-
SSDEEP
24576:N2oo60HPdt+1CRiY2eOBvcj3u10d0O8Y7jN5mlFPUsMDZ79zDDlcuciP0VqEd+tS:Qoa1taC070dvh7jaqd79DDlcuFekd/fe
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2340 CD7C.tmp -
Executes dropped EXE 1 IoCs
pid Process 2340 CD7C.tmp -
Loads dropped DLL 1 IoCs
pid Process 2364 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CD7C.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2340 2364 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe 31 PID 2364 wrote to memory of 2340 2364 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe 31 PID 2364 wrote to memory of 2340 2364 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe 31 PID 2364 wrote to memory of 2340 2364 36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe"C:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\CD7C.tmp"C:\Users\Admin\AppData\Local\Temp\CD7C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe E1CBC0BFC3C9E1D03C0397D236CB81CDE23AA860134DF636DC8513FF081CACEB156654C089D8A675ADE7DC34544C0A85DDE8ED303825A3FE4810BB339FB253C52⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5476c51b108e471b1fbbe003347689d16
SHA1bdd0df45f780f81917c40e24e721db0d659c828d
SHA2566ed2ce4479f57b7e402e3dbc42582d7afb87b4c61d62f63283b98f8ee9660c96
SHA512ed3a7c39f995e07b814581a0d5f499525ae87a2e1f14d381bfba08cee04c9ce2d177f1877a689f779867a124c89d61aa5e4be0f7e9d58212f914a424ce785e06