Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 19:59

General

  • Target

    731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe

  • Size

    16KB

  • MD5

    de096a0b4d1e4ec6e1264561db544138

  • SHA1

    bcad7bb9591ce4a46cb89b97038754774a84b04a

  • SHA256

    731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2

  • SHA512

    7d480a44b36a5a43fc22022205ac936216b6423e7d2fe4b224461fe544c53f55b2a6ced5746809b66672c8cf1a9ba2a57e679742db838b67137492d15ee1ffd6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY44EA1H:hDXWipuE+K3/SSHgxm5Z1H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
    "C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Users\Admin\AppData\Local\Temp\DEM470E.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM470E.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1172
            • C:\Users\Admin\AppData\Local\Temp\DEMF122.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMF122.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Users\Admin\AppData\Local\Temp\DEM4653.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM4653.exe"
                7⤵
                • Executes dropped EXE
                PID:580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe

    Filesize

    16KB

    MD5

    62097c983cf2c1fec7183777c5b14f78

    SHA1

    6e4d3255bd0fe7ac761931d5a0af428ed611cd96

    SHA256

    8175e5e4068570a9fddf73140a4d7854da0dd7e27a9faf6d5c010e0a57094779

    SHA512

    7cdf3917d905c82ad3aae9b3feeec1a580df79682db99a6634787a0f6cf448511c986471aead2ac197dbb9967e2ec3995caee63e11b6b1cb29f858169fb7a1fd

  • \Users\Admin\AppData\Local\Temp\DEM4653.exe

    Filesize

    16KB

    MD5

    a600127bf8e15b9aa02aff238f8123d9

    SHA1

    57626966c22f86ebb3d9eee273514b42a64e3789

    SHA256

    5911e553a6e53722816ddcd264f4a424bdc976d412035003bac32cf8f29f7ffd

    SHA512

    6d841d38d09e32011e4c9e95deb5b82209ee0717d594707d3277cb85da77fd7d6d22bba7487704b668ad5c26def0017e402127738bdff82ae4ecdd02031aa5ac

  • \Users\Admin\AppData\Local\Temp\DEM470E.exe

    Filesize

    16KB

    MD5

    deb89f21a4d47838f1c9a5c6fd0c927a

    SHA1

    a5d9ccee59139294c55fb9e566f76281b80434ab

    SHA256

    abbd77a745c2c2aac8812a07dc28773b3ee818d575497051d6cd09dbe003a6de

    SHA512

    0879d32f339a7aa908dcc3d84a24a79c116976fa813c967d2080c63f8b1d391984deaf9ccaecb2316dd33e74a495ba25ada1998f2fdb07a8b59f1800abe229ba

  • \Users\Admin\AppData\Local\Temp\DEM9C20.exe

    Filesize

    16KB

    MD5

    9b06a97cfc6f9f04575a3d1debed51c2

    SHA1

    0d02609991f66aacc2da35339743ff451c4ab161

    SHA256

    877dfb08046a6584a994130a99e46ce93e500857f28ac663b834a2fa2470d209

    SHA512

    537855984fa2a6725bba9e3c1d8f702a72f3b2ed343c3900d1e21759c2dba5c100b0e009438ed44c44c7aacb05083de3bea2abc72541a0b1d7068d9aac17368f

  • \Users\Admin\AppData\Local\Temp\DEM9C9D.exe

    Filesize

    16KB

    MD5

    3357fe1c721f64c9b3632cacd818e019

    SHA1

    b9eac487c2414728ff90aa9864b28ee71e126728

    SHA256

    b363ac8f10e4872b80a9dc2b59a19e9498300713135c1cc129819d6140a134c4

    SHA512

    9a5201d2e2947515f0e7190c2bd4707029b38934ba2abdea37b13a7d893d0e4ed563fcccb3f776cd73c8ef08178c387a9fdcf36efcdc5f16e704e637217c6cf8

  • \Users\Admin\AppData\Local\Temp\DEMF122.exe

    Filesize

    16KB

    MD5

    8eb42cc16dc7e59ebe39018e3998e8ca

    SHA1

    40c7e1b8f799251a32efa4f1336497e2764a5057

    SHA256

    b317f71228e006391bd2dc1ec5d13d636c8a51af6fa6b4a5973372d0bf07a03f

    SHA512

    6779759e98ed369926bfcc8afd81966bc1a4aaaac5a68b95a9e80450eb7ca00aa139fc367f275e486890f9d589080bfd9ff45b9b5fb47ce033de08f55b95b012