Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
Resource
win10v2004-20240802-en
General
-
Target
0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
-
Size
14KB
-
MD5
9b81c08743680fb1110c010220bcc622
-
SHA1
8299cd0ea14352c190fc45bbb217fb37221bc671
-
SHA256
0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b
-
SHA512
174128cf347d10b37af7943f89d631ed2d5262c1913262f8338a4a868a12e3c1f3bc7e7828cc1ff385e26eb01cfad7e07cb2645f718e933647f8f855ff593b94
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBx:hDXWipuE+K3/SSHgxlFBx
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1980 DEMB56A.exe 2736 DEMABA.exe 2628 DEM6039.exe 1432 DEMB635.exe 2140 DEMB85.exe 2456 DEM6171.exe -
Loads dropped DLL 6 IoCs
pid Process 2500 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe 1980 DEMB56A.exe 2736 DEMABA.exe 2628 DEM6039.exe 1432 DEMB635.exe 2140 DEMB85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB56A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMABA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6039.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB635.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1980 2500 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe 32 PID 2500 wrote to memory of 1980 2500 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe 32 PID 2500 wrote to memory of 1980 2500 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe 32 PID 2500 wrote to memory of 1980 2500 0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe 32 PID 1980 wrote to memory of 2736 1980 DEMB56A.exe 34 PID 1980 wrote to memory of 2736 1980 DEMB56A.exe 34 PID 1980 wrote to memory of 2736 1980 DEMB56A.exe 34 PID 1980 wrote to memory of 2736 1980 DEMB56A.exe 34 PID 2736 wrote to memory of 2628 2736 DEMABA.exe 36 PID 2736 wrote to memory of 2628 2736 DEMABA.exe 36 PID 2736 wrote to memory of 2628 2736 DEMABA.exe 36 PID 2736 wrote to memory of 2628 2736 DEMABA.exe 36 PID 2628 wrote to memory of 1432 2628 DEM6039.exe 38 PID 2628 wrote to memory of 1432 2628 DEM6039.exe 38 PID 2628 wrote to memory of 1432 2628 DEM6039.exe 38 PID 2628 wrote to memory of 1432 2628 DEM6039.exe 38 PID 1432 wrote to memory of 2140 1432 DEMB635.exe 40 PID 1432 wrote to memory of 2140 1432 DEMB635.exe 40 PID 1432 wrote to memory of 2140 1432 DEMB635.exe 40 PID 1432 wrote to memory of 2140 1432 DEMB635.exe 40 PID 2140 wrote to memory of 2456 2140 DEMB85.exe 42 PID 2140 wrote to memory of 2456 2140 DEMB85.exe 42 PID 2140 wrote to memory of 2456 2140 DEMB85.exe 42 PID 2140 wrote to memory of 2456 2140 DEMB85.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe"C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe"C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\DEMABA.exe"C:\Users\Admin\AppData\Local\Temp\DEMABA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\DEM6039.exe"C:\Users\Admin\AppData\Local\Temp\DEM6039.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\DEMB85.exe"C:\Users\Admin\AppData\Local\Temp\DEMB85.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"7⤵
- Executes dropped EXE
PID:2456
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5aaaaf814cdfba905da8bd3732ab6b4b6
SHA1caede729f802fb24eb1f05be0c3a5788d9f97d22
SHA25661a1ad9075bd7620ac3f3f9058adf3f9d0f9389517c25a3683a8178cb706ebbb
SHA512b17587c44c0b296547055fe881a33ca77702f0b472856d7ed54f3e9d037cc869b4dce6e4497b160686dc72d50618bfdeeaf931cc0f25d751f198daf15535dea5
-
Filesize
14KB
MD5acff9205ada627875487cbef323bef64
SHA1d03c0a128edc72992f9d0b7f8a872911e1803c9d
SHA2566667e9e5f9e2cd4778a2729964e17f051637629063300eb054788dc1c4c4d674
SHA512926294968634c05807985ab3fbc18cf58a5e0133553aeeb269e0917a377f5a77392e231621b24a935cc2c49801e4f92a1d0e338f55423b738b60eb7c8cfd243d
-
Filesize
14KB
MD5ff5135757c7216f92e3b1b7db84f198a
SHA1e205b87a43392897ba76463b559d9bab96f9e318
SHA256e31eaa24d79c5fb32b4a4822cea35db83dc3acb9622bbed215aac4c1cf4306c4
SHA5124d3213ca6517b6182cba6bb8ec10f873a390a2b9b676f7f6e984c80d8adbeebd4231ef3323890b8bc9341bc15a5da200f23b8cdfd34d544776574a32775e5fe9
-
Filesize
14KB
MD5a918e04d9e07135b4e99164f41823bc9
SHA10ad47037d1a861ab45a6ea3a5317aec1dd9c77e4
SHA256e1ddee83badb7cb80664fd9c0f02ac8f37d7dbd80bc11ab91079c158ade3ce99
SHA51299f9a04f7badcb0ad916baf001565118740e21dd56b2451c13b9ecbe7a6bd10a72c8d8386e32aaea51a15cb7c5fde445f5e3f8edfe1b835d7664296efb715020
-
Filesize
14KB
MD5e63aa967d8957046c755951d0e5df08d
SHA1dfef4306a3b08e0649c3d3460687e9cd6dc8564e
SHA256f5ba3557c6e1e14bbf4059ac04f53d449ecc64c7811959f13438facc68dfc184
SHA5123e7dfefdc9b86ae4fa161928c90452a01fdae6389158f6c0a2e6eebcef84df02ab6dbe649234038e85fbc2d326b1a60d9fbe025e56601c035689dac4aff759ac
-
Filesize
14KB
MD537e5922637ee81d2854b8e0fb977a0ec
SHA12dcdfb40bf5faa9e39b8008f48db9d97de164626
SHA256f30dff05526d9a70a236835c2cc2cae569fcd8bb7e39068233ce6ec9a8244e52
SHA51242ec8f291bf56cdbb39be1ef828ea60d27c4ac54f768683906e588844bdb98c0ba23979f08b395bf7692fafe14fcef9edc5dab04e1c3be6998c5a51a32df2839