Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
Resource
win10v2004-20240802-en
General
-
Target
731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
-
Size
16KB
-
MD5
de096a0b4d1e4ec6e1264561db544138
-
SHA1
bcad7bb9591ce4a46cb89b97038754774a84b04a
-
SHA256
731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2
-
SHA512
7d480a44b36a5a43fc22022205ac936216b6423e7d2fe4b224461fe544c53f55b2a6ced5746809b66672c8cf1a9ba2a57e679742db838b67137492d15ee1ffd6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY44EA1H:hDXWipuE+K3/SSHgxm5Z1H
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2472 DEM9C9D.exe 2896 DEMF1DE.exe 2680 DEM470E.exe 1172 DEM9C20.exe 1540 DEMF122.exe 580 DEM4653.exe -
Loads dropped DLL 6 IoCs
pid Process 632 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe 2472 DEM9C9D.exe 2896 DEMF1DE.exe 2680 DEM470E.exe 1172 DEM9C20.exe 1540 DEMF122.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM470E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9C20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMF122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9C9D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMF1DE.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 632 wrote to memory of 2472 632 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe 32 PID 632 wrote to memory of 2472 632 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe 32 PID 632 wrote to memory of 2472 632 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe 32 PID 632 wrote to memory of 2472 632 731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe 32 PID 2472 wrote to memory of 2896 2472 DEM9C9D.exe 34 PID 2472 wrote to memory of 2896 2472 DEM9C9D.exe 34 PID 2472 wrote to memory of 2896 2472 DEM9C9D.exe 34 PID 2472 wrote to memory of 2896 2472 DEM9C9D.exe 34 PID 2896 wrote to memory of 2680 2896 DEMF1DE.exe 36 PID 2896 wrote to memory of 2680 2896 DEMF1DE.exe 36 PID 2896 wrote to memory of 2680 2896 DEMF1DE.exe 36 PID 2896 wrote to memory of 2680 2896 DEMF1DE.exe 36 PID 2680 wrote to memory of 1172 2680 DEM470E.exe 38 PID 2680 wrote to memory of 1172 2680 DEM470E.exe 38 PID 2680 wrote to memory of 1172 2680 DEM470E.exe 38 PID 2680 wrote to memory of 1172 2680 DEM470E.exe 38 PID 1172 wrote to memory of 1540 1172 DEM9C20.exe 40 PID 1172 wrote to memory of 1540 1172 DEM9C20.exe 40 PID 1172 wrote to memory of 1540 1172 DEM9C20.exe 40 PID 1172 wrote to memory of 1540 1172 DEM9C20.exe 40 PID 1540 wrote to memory of 580 1540 DEMF122.exe 42 PID 1540 wrote to memory of 580 1540 DEMF122.exe 42 PID 1540 wrote to memory of 580 1540 DEMF122.exe 42 PID 1540 wrote to memory of 580 1540 DEMF122.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe"C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe"C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe"C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\DEM470E.exe"C:\Users\Admin\AppData\Local\Temp\DEM470E.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe"C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\DEMF122.exe"C:\Users\Admin\AppData\Local\Temp\DEMF122.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\DEM4653.exe"C:\Users\Admin\AppData\Local\Temp\DEM4653.exe"7⤵
- Executes dropped EXE
PID:580
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD562097c983cf2c1fec7183777c5b14f78
SHA16e4d3255bd0fe7ac761931d5a0af428ed611cd96
SHA2568175e5e4068570a9fddf73140a4d7854da0dd7e27a9faf6d5c010e0a57094779
SHA5127cdf3917d905c82ad3aae9b3feeec1a580df79682db99a6634787a0f6cf448511c986471aead2ac197dbb9967e2ec3995caee63e11b6b1cb29f858169fb7a1fd
-
Filesize
16KB
MD5a600127bf8e15b9aa02aff238f8123d9
SHA157626966c22f86ebb3d9eee273514b42a64e3789
SHA2565911e553a6e53722816ddcd264f4a424bdc976d412035003bac32cf8f29f7ffd
SHA5126d841d38d09e32011e4c9e95deb5b82209ee0717d594707d3277cb85da77fd7d6d22bba7487704b668ad5c26def0017e402127738bdff82ae4ecdd02031aa5ac
-
Filesize
16KB
MD5deb89f21a4d47838f1c9a5c6fd0c927a
SHA1a5d9ccee59139294c55fb9e566f76281b80434ab
SHA256abbd77a745c2c2aac8812a07dc28773b3ee818d575497051d6cd09dbe003a6de
SHA5120879d32f339a7aa908dcc3d84a24a79c116976fa813c967d2080c63f8b1d391984deaf9ccaecb2316dd33e74a495ba25ada1998f2fdb07a8b59f1800abe229ba
-
Filesize
16KB
MD59b06a97cfc6f9f04575a3d1debed51c2
SHA10d02609991f66aacc2da35339743ff451c4ab161
SHA256877dfb08046a6584a994130a99e46ce93e500857f28ac663b834a2fa2470d209
SHA512537855984fa2a6725bba9e3c1d8f702a72f3b2ed343c3900d1e21759c2dba5c100b0e009438ed44c44c7aacb05083de3bea2abc72541a0b1d7068d9aac17368f
-
Filesize
16KB
MD53357fe1c721f64c9b3632cacd818e019
SHA1b9eac487c2414728ff90aa9864b28ee71e126728
SHA256b363ac8f10e4872b80a9dc2b59a19e9498300713135c1cc129819d6140a134c4
SHA5129a5201d2e2947515f0e7190c2bd4707029b38934ba2abdea37b13a7d893d0e4ed563fcccb3f776cd73c8ef08178c387a9fdcf36efcdc5f16e704e637217c6cf8
-
Filesize
16KB
MD58eb42cc16dc7e59ebe39018e3998e8ca
SHA140c7e1b8f799251a32efa4f1336497e2764a5057
SHA256b317f71228e006391bd2dc1ec5d13d636c8a51af6fa6b4a5973372d0bf07a03f
SHA5126779759e98ed369926bfcc8afd81966bc1a4aaaac5a68b95a9e80450eb7ca00aa139fc367f275e486890f9d589080bfd9ff45b9b5fb47ce033de08f55b95b012