Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    109s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 02:02

General

  • Target

    daef9ce0d9d1d1e65bb642e8612816c0N.exe

  • Size

    15KB

  • MD5

    daef9ce0d9d1d1e65bb642e8612816c0

  • SHA1

    a965ed4e91d531dbd9914e83d12209ed3a0ce002

  • SHA256

    61e3ddd38d6b6f9e6415589e268d2f8218f89e4814589e38ab776bc5492c8af4

  • SHA512

    eb554a7e73f67c94e5d51820813baea7c8c24850de533f75541279df88e3df88f7732e7a304e884e16d26e93478962cb2ad70967433efabbb19b3626779465a4

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYls:hDXWipuE+K3/SSHgxmls

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Users\Admin\AppData\Local\Temp\DEMF00A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF00A.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Users\Admin\AppData\Local\Temp\DEMF038.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMF038.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\DEM454A.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM454A.exe"
              6⤵
              • Executes dropped EXE
              PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe

    Filesize

    15KB

    MD5

    6e10ab5ffbfedc4ad41933af436c2641

    SHA1

    76eeb4300099a85acac54a024e7883ed62da6b57

    SHA256

    bdec063b4d35916f5eda1470b6d4fdda564249efad846dd59bbfe8804e33a456

    SHA512

    459cf5cbd137002ab15315dedd90761ed03451bfe9d85b4a0a786c2118f28e9f8a4ea02310fe301f6342b99174d413a3d8873071e9064397d1e6f177459f7b0d

  • C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe

    Filesize

    15KB

    MD5

    9c2e29e54bed5af2c2b7248dfdde72e5

    SHA1

    4b3e05d57f6873ae27f9ac7e31993d607c3d6911

    SHA256

    130b2522f36181790f8088755d976452d8428db81c0f8c87333b27285adcb11f

    SHA512

    d112af04aef123e8946db8832de95f065c753d87c7e10979490cfe1bec21cf7c373751f8e7f7af47bd613bdc3318229278a8d039f9dbd0fcfbb1c04f51d9b7e8

  • C:\Users\Admin\AppData\Local\Temp\DEMF038.exe

    Filesize

    15KB

    MD5

    7aef49ac9fddb07ac69886d55eb5fb99

    SHA1

    919118ef01cdafdb768bd8d2af5e16c33247436d

    SHA256

    f29dbc6c0b780cd952c876e520311e4780f2abb3e45be81984d0118389fd568c

    SHA512

    6214699643c9a53424fb7d09a086186a83afbec59944542e78afe7135685cd816135136cee58cb409c6eb1305491bd778fc3b7164898bf898e95c3f67775fab2

  • \Users\Admin\AppData\Local\Temp\DEM454A.exe

    Filesize

    15KB

    MD5

    9c556e8329556feda4474ce0de06daf7

    SHA1

    0072e0ea11551e3e1da20589d17afffd46ebcc8b

    SHA256

    1f94321a84210e4c472cdc8a9cc41b458ecf64f94f7d5bfdb1e9f0426b9a1e2f

    SHA512

    3bc52dbbbe456fec0ce0e36c4766b2feb28aa88892c4f13d60885b8075b6bf87aa068f6ca10fdd9dd31026e054942de1ff8e2be79c318fc30b5940f24423a5b2

  • \Users\Admin\AppData\Local\Temp\DEMF00A.exe

    Filesize

    15KB

    MD5

    3474f4b211297c3be829fb624d35609c

    SHA1

    f28759921616a6271e843fcdb9c12a5e5d6e630a

    SHA256

    6c17238cf0cbeb48a4f69e18dda57890929303d160db6b631e5f653dc4b1dadd

    SHA512

    91347d9a17e52b400e99b63e14cc6abb54c06355c962c360d38305be81a91cdd10aef6c93c55cbf6ff0b380f6662c88246f92351da65dfcb6987d1ecc0b62fbb