Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
Resource
win10v2004-20240802-en
General
-
Target
5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
-
Size
15KB
-
MD5
7c58ed3ec40b9640da0426a8ec30efe5
-
SHA1
6d2b6b57e9ac6674e0ef5e98cee9fe0e54d9bd2b
-
SHA256
5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df
-
SHA512
78794b13879b2ce14042587d884b4a8765767de06587cdc5a979b11df00ac94ac8a0fe1b172ba5ad2f99390e5ca5f46ab91c56f2c33a5f2662d389505122c3b7
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhid:hDXWipuE+K3/SSHgxLid
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2800 DEMF4DA.exe 2816 DEM4B81.exe 2944 DEMA1FA.exe 1088 DEMF798.exe 2988 DEM4DC3.exe 2068 DEMA4A8.exe -
Loads dropped DLL 6 IoCs
pid Process 2928 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe 2800 DEMF4DA.exe 2816 DEM4B81.exe 2944 DEMA1FA.exe 1088 DEMF798.exe 2988 DEM4DC3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMF4DA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM4B81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMA1FA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMF798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM4DC3.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2800 2928 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe 30 PID 2928 wrote to memory of 2800 2928 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe 30 PID 2928 wrote to memory of 2800 2928 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe 30 PID 2928 wrote to memory of 2800 2928 5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe 30 PID 2800 wrote to memory of 2816 2800 DEMF4DA.exe 32 PID 2800 wrote to memory of 2816 2800 DEMF4DA.exe 32 PID 2800 wrote to memory of 2816 2800 DEMF4DA.exe 32 PID 2800 wrote to memory of 2816 2800 DEMF4DA.exe 32 PID 2816 wrote to memory of 2944 2816 DEM4B81.exe 34 PID 2816 wrote to memory of 2944 2816 DEM4B81.exe 34 PID 2816 wrote to memory of 2944 2816 DEM4B81.exe 34 PID 2816 wrote to memory of 2944 2816 DEM4B81.exe 34 PID 2944 wrote to memory of 1088 2944 DEMA1FA.exe 36 PID 2944 wrote to memory of 1088 2944 DEMA1FA.exe 36 PID 2944 wrote to memory of 1088 2944 DEMA1FA.exe 36 PID 2944 wrote to memory of 1088 2944 DEMA1FA.exe 36 PID 1088 wrote to memory of 2988 1088 DEMF798.exe 38 PID 1088 wrote to memory of 2988 1088 DEMF798.exe 38 PID 1088 wrote to memory of 2988 1088 DEMF798.exe 38 PID 1088 wrote to memory of 2988 1088 DEMF798.exe 38 PID 2988 wrote to memory of 2068 2988 DEM4DC3.exe 40 PID 2988 wrote to memory of 2068 2988 DEM4DC3.exe 40 PID 2988 wrote to memory of 2068 2988 DEM4DC3.exe 40 PID 2988 wrote to memory of 2068 2988 DEM4DC3.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe"C:\Users\Admin\AppData\Local\Temp\5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe"C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\DEMA1FA.exe"C:\Users\Admin\AppData\Local\Temp\DEMA1FA.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\DEM4DC3.exe"C:\Users\Admin\AppData\Local\Temp\DEM4DC3.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe"C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe"7⤵
- Executes dropped EXE
PID:2068
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD53c8024786380261cf91e98441a8e9719
SHA137d62f568ac0ef51d65ac83ab1fb8d2cde9d278f
SHA2562896fb3845fbed649a4f223f526e7366d6a1cb2b21164de6806071fde178d117
SHA512e6f99b5310b77180ca7b59fb79d5e535234fcdba4a89fe2b111191eb9cec8729af8bce87673d7d71a9c696722c9394ea5be7e4e32861e178763703c22c5e8c00
-
Filesize
15KB
MD5478d0ccd8cbeb48ff04472ac71f0a96e
SHA1ca5805a0161f0eea0959220c87bec2955e2b1aff
SHA25648db47cba87942431da05780becabf95be0dbafbb2b4efa27367f6e63ac97d54
SHA5127c4ee38937c0c3d8a064945ef807376bf14694256957875d39b9105f7e85992e6684d6a12568a35913f497eed07154e4d056843f967c1adbef6b10859ff43369
-
Filesize
15KB
MD5c632e21e1d93f7d1b997a2b9b8a9430c
SHA163be0ef207cfd8ede9fce55f4855ea3cad56181b
SHA256f242c26080698f77c1843e1bfd67aa21dd9827cb1a57bba11b54a5a0967682fe
SHA5127e98611918705e92c0571c4c5f5f427d9a5db3e39368c2002376d094287532964c7dcd11d62ad33d29265fc414987f643d1fca7e03820d9ec3a4009e8f7b69bc
-
Filesize
15KB
MD55cb03230451962a76aea1f2913706f9e
SHA14c4cffdd3728c37c0e30321a1838da25917f1a12
SHA2561c93fa024f38c57b303e2121934f3855c427d04d403e53518c72fbb22434330b
SHA512dd297cd560b39e5f3f414bb72005f6c1016a125931e3e6eeedfadc6cee96290fa1c9207241f23bc7223ec72bf36460901290436e3b407136d48972d34ef2ba57
-
Filesize
15KB
MD56da42d60be23d57c7f1869493b09ebe1
SHA10fbdc6a4f0e822855464d4db4b1c334fccc6286b
SHA2566d554be00f815a1d452e9c17360eec3241a0c0df203ab9082508a6b46da5c009
SHA512482ebbb8f5988a6b0d099c97fe0e19e3cdc41bc66527be93100d60986a581088840da7ae0117149613e8cfc62e1d9bcc97a557c17dcebb4fd77244ae79c7b555
-
Filesize
15KB
MD59342496341eaf56c7f2a4827ce1ee68f
SHA1d5d540297c11cac34a955e66ffb8a7c1d1d42fde
SHA2567ada155e2ab7e3fde0074b17e2a1410aeed6a078c9c05abcdc2bbf77eb3b9730
SHA5121f00ef1f34834e36b56c12e9e77ee1949984150b1a21d6fbed2c06da1881c95026503a5e79bf3719b695ade6b1dd177aa8f21b6d1a39880e91d0e05bf324c363