Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe
Resource
win10v2004-20240802-en
General
-
Target
ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe
-
Size
32KB
-
MD5
604380fff2d54fb5b474cf5c6aa91eee
-
SHA1
53e614c65a9d36fcd84f44d16d88f83f89ae0097
-
SHA256
ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894
-
SHA512
23f0a6f260e91a78be7eb347f61fedfa024a58373b0e0f93b0ad5f61259dee4ee15ea2e01329a6d88680564bbe81eabdd26259ed5206b08f5bd6276aec7f1d30
-
SSDEEP
768:qZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqKNPWQHpq:OLsF2Kerc64sTiX2IV0Dhuq
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2652 WINWORD.exe 2968 WINWORD.exe -
Loads dropped DLL 4 IoCs
pid Process 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 2504 cmd.exe 2504 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r" WINWORD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2880 PING.EXE 2504 cmd.exe 2892 PING.EXE 2724 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2892 PING.EXE 2724 PING.EXE 2880 PING.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2652 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 31 PID 2544 wrote to memory of 2652 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 31 PID 2544 wrote to memory of 2652 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 31 PID 2544 wrote to memory of 2652 2544 ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe 31 PID 2652 wrote to memory of 2504 2652 WINWORD.exe 32 PID 2652 wrote to memory of 2504 2652 WINWORD.exe 32 PID 2652 wrote to memory of 2504 2652 WINWORD.exe 32 PID 2652 wrote to memory of 2504 2652 WINWORD.exe 32 PID 2504 wrote to memory of 2892 2504 cmd.exe 34 PID 2504 wrote to memory of 2892 2504 cmd.exe 34 PID 2504 wrote to memory of 2892 2504 cmd.exe 34 PID 2504 wrote to memory of 2892 2504 cmd.exe 34 PID 2504 wrote to memory of 2724 2504 cmd.exe 35 PID 2504 wrote to memory of 2724 2504 cmd.exe 35 PID 2504 wrote to memory of 2724 2504 cmd.exe 35 PID 2504 wrote to memory of 2724 2504 cmd.exe 35 PID 2504 wrote to memory of 2880 2504 cmd.exe 36 PID 2504 wrote to memory of 2880 2504 cmd.exe 36 PID 2504 wrote to memory of 2880 2504 cmd.exe 36 PID 2504 wrote to memory of 2880 2504 cmd.exe 36 PID 2504 wrote to memory of 2968 2504 cmd.exe 37 PID 2504 wrote to memory of 2968 2504 cmd.exe 37 PID 2504 wrote to memory of 2968 2504 cmd.exe 37 PID 2504 wrote to memory of 2968 2504 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe"C:\Users\Admin\AppData\Local\Temp\ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\00001AFB" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2724
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2880
-
-
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD59ed6142a09cbc1f0c801cb54e70f9ed2
SHA1efa50c29d6686680b59a069c3231197c6d7e4959
SHA256a8a96fd495044b3174759fe3f19649d559bdc3b08037396f7d643157d76ee839
SHA5129a48a2248a19faf3c380c054c5fa1d24893798959ebd04d32f9cb76020dc39b15fee5e118f129331205f0b120a07c0a6648e744a72ef1a3fb88868fbfc086b8f
-
Filesize
32KB
MD5604380fff2d54fb5b474cf5c6aa91eee
SHA153e614c65a9d36fcd84f44d16d88f83f89ae0097
SHA256ef435776f8f7bef99e56c36c9335f4a7b368a04ae3d34e45b20c8f557b806894
SHA51223f0a6f260e91a78be7eb347f61fedfa024a58373b0e0f93b0ad5f61259dee4ee15ea2e01329a6d88680564bbe81eabdd26259ed5206b08f5bd6276aec7f1d30