Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 17:37

General

  • Target

    f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe

  • Size

    16KB

  • MD5

    016ecdb9876c5124ed326acaebcf76c7

  • SHA1

    866ceda0b453db4587f2d9e167ab6218462ca21d

  • SHA256

    f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097

  • SHA512

    e489c83ce455c93039be37d873c87a650847f0c635a65cf984d9b177a7898c787200d3c3f5a4621097604b234ce34fa8817fac795fd6b0f2a9d5161493e80aed

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYld:hDXWipuE+K3/SSHgxmld

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Local\Temp\DEM87C6.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM87C6.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Users\Admin\AppData\Local\Temp\DEM3208.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM3208.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Users\Admin\AppData\Local\Temp\DEM8843.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM8843.exe"
                7⤵
                • Executes dropped EXE
                PID:1268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM3208.exe

    Filesize

    16KB

    MD5

    0f3933e15b45687fb777a101c83a55d4

    SHA1

    d1b9a5ced7e815d8ab76b44f8f227f24a8cda3ef

    SHA256

    e7a5da9ab92f935e9399b837cd6c6dffa4a58321df301571125d03ed41ff1ab4

    SHA512

    45fe2fed38159bd13c69d7505d991fdfc7303ff84c17682ad94337ae1f630ce9839f4db1c2809f71e5f96da25537877dc6d724c7105e06747d98505de404b3b1

  • C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe

    Filesize

    16KB

    MD5

    32a23c8381240b7425b76ac0f20126a3

    SHA1

    c65fbf220060ceda524f04f21db747e355f92aba

    SHA256

    56a2a955ad0247ad8b5ebbf08bfb10ff7d92bf07a3b032b39848fb6e56a66e3f

    SHA512

    6c6f12dc84ffc5722de926a111d734b7f57d74be621b5b1908a5ec23354d10c8e192b317e7e1e17ccb180b489637a1e3d2b51abdba1e846f79b6201acf73699f

  • \Users\Admin\AppData\Local\Temp\DEM87C6.exe

    Filesize

    16KB

    MD5

    f383fcab10f4b642288dbb308fc412cc

    SHA1

    2df407f41dd146839a7405985a39858c9cedbfa9

    SHA256

    52f0116abfdf0c687fc8a86907c268a62f037e94a2fcfba741154725d13c7f06

    SHA512

    32dd93fc3a8f38b3987f286a72c060cf7b20ea6346c8304afa930436002726b265ae9a95c9c0ab3644954d8cf8a64c9d6b9e5c3041ffa29a77bfbd0d6bcef6f2

  • \Users\Admin\AppData\Local\Temp\DEM8843.exe

    Filesize

    16KB

    MD5

    6a07000f2c230347ea8332c6fd10bf4b

    SHA1

    d226a0286293582de2d7faf9c4a6ce5b6b5adc0f

    SHA256

    b32bd180dc6473ea5ba184ab2173397fdbc72d7ba2a837f5fbb2e416bbcedbdb

    SHA512

    3602c0b21c8e59fc8107b1318c789723b5c0fb85f939fb3871a10b02b5c3b243480fa4c3e5c5c1fb91ed23ee00a3c19f7dcec79e9190207a16baaceed5d2ffe4

  • \Users\Admin\AppData\Local\Temp\DEMDCE7.exe

    Filesize

    16KB

    MD5

    069be68b5f968e230c4ee302db746d13

    SHA1

    f18ed1343f11c65941df18207fd0cd92506cd6a7

    SHA256

    f9b4c9c97559430c8acb416c1e1521163554536c339b262f368163bad8787ef9

    SHA512

    bd56dfbf8ca056321eac1c0dcad4a8ff6d951cdc643b7ec2921984b02d20cb2997df43fedc0308c5436c13fa0d5fa61ae6c4c1188c8466878440ba0377aa03fe

  • \Users\Admin\AppData\Local\Temp\DEMDD83.exe

    Filesize

    16KB

    MD5

    8a146bb97037320c719d841ff446fcf5

    SHA1

    cf41de21fbfd1457b40e97ef6161844a2401709a

    SHA256

    bc318bbebb04ac31e2956da2daf085ae9a6173cbc81499ba2c6ddfa412d58005

    SHA512

    86ec77ba569daeba48fee42a8a06f2e93be1f23b82b87d8c77da545590c9e175b1e8ad43842767661c9f9f9db6a3857d0496756b4a19a3e2483d55dcee06eaef