Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 12:58

General

  • Target

    0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe

  • Size

    14KB

  • MD5

    9b81c08743680fb1110c010220bcc622

  • SHA1

    8299cd0ea14352c190fc45bbb217fb37221bc671

  • SHA256

    0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b

  • SHA512

    174128cf347d10b37af7943f89d631ed2d5262c1913262f8338a4a868a12e3c1f3bc7e7828cc1ff385e26eb01cfad7e07cb2645f718e933647f8f855ff593b94

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBx:hDXWipuE+K3/SSHgxlFBx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Users\Admin\AppData\Local\Temp\DEMABA.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMABA.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Users\Admin\AppData\Local\Temp\DEM6039.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM6039.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Local\Temp\DEMB635.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1432
            • C:\Users\Admin\AppData\Local\Temp\DEMB85.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB85.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2140
              • C:\Users\Admin\AppData\Local\Temp\DEM6171.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"
                7⤵
                • Executes dropped EXE
                PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM6171.exe

    Filesize

    14KB

    MD5

    aaaaf814cdfba905da8bd3732ab6b4b6

    SHA1

    caede729f802fb24eb1f05be0c3a5788d9f97d22

    SHA256

    61a1ad9075bd7620ac3f3f9058adf3f9d0f9389517c25a3683a8178cb706ebbb

    SHA512

    b17587c44c0b296547055fe881a33ca77702f0b472856d7ed54f3e9d037cc869b4dce6e4497b160686dc72d50618bfdeeaf931cc0f25d751f198daf15535dea5

  • C:\Users\Admin\AppData\Local\Temp\DEMABA.exe

    Filesize

    14KB

    MD5

    acff9205ada627875487cbef323bef64

    SHA1

    d03c0a128edc72992f9d0b7f8a872911e1803c9d

    SHA256

    6667e9e5f9e2cd4778a2729964e17f051637629063300eb054788dc1c4c4d674

    SHA512

    926294968634c05807985ab3fbc18cf58a5e0133553aeeb269e0917a377f5a77392e231621b24a935cc2c49801e4f92a1d0e338f55423b738b60eb7c8cfd243d

  • \Users\Admin\AppData\Local\Temp\DEM6039.exe

    Filesize

    14KB

    MD5

    ff5135757c7216f92e3b1b7db84f198a

    SHA1

    e205b87a43392897ba76463b559d9bab96f9e318

    SHA256

    e31eaa24d79c5fb32b4a4822cea35db83dc3acb9622bbed215aac4c1cf4306c4

    SHA512

    4d3213ca6517b6182cba6bb8ec10f873a390a2b9b676f7f6e984c80d8adbeebd4231ef3323890b8bc9341bc15a5da200f23b8cdfd34d544776574a32775e5fe9

  • \Users\Admin\AppData\Local\Temp\DEMB56A.exe

    Filesize

    14KB

    MD5

    a918e04d9e07135b4e99164f41823bc9

    SHA1

    0ad47037d1a861ab45a6ea3a5317aec1dd9c77e4

    SHA256

    e1ddee83badb7cb80664fd9c0f02ac8f37d7dbd80bc11ab91079c158ade3ce99

    SHA512

    99f9a04f7badcb0ad916baf001565118740e21dd56b2451c13b9ecbe7a6bd10a72c8d8386e32aaea51a15cb7c5fde445f5e3f8edfe1b835d7664296efb715020

  • \Users\Admin\AppData\Local\Temp\DEMB635.exe

    Filesize

    14KB

    MD5

    e63aa967d8957046c755951d0e5df08d

    SHA1

    dfef4306a3b08e0649c3d3460687e9cd6dc8564e

    SHA256

    f5ba3557c6e1e14bbf4059ac04f53d449ecc64c7811959f13438facc68dfc184

    SHA512

    3e7dfefdc9b86ae4fa161928c90452a01fdae6389158f6c0a2e6eebcef84df02ab6dbe649234038e85fbc2d326b1a60d9fbe025e56601c035689dac4aff759ac

  • \Users\Admin\AppData\Local\Temp\DEMB85.exe

    Filesize

    14KB

    MD5

    37e5922637ee81d2854b8e0fb977a0ec

    SHA1

    2dcdfb40bf5faa9e39b8008f48db9d97de164626

    SHA256

    f30dff05526d9a70a236835c2cc2cae569fcd8bb7e39068233ce6ec9a8244e52

    SHA512

    42ec8f291bf56cdbb39be1ef828ea60d27c4ac54f768683906e588844bdb98c0ba23979f08b395bf7692fafe14fcef9edc5dab04e1c3be6998c5a51a32df2839