Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
c4cde42b704d740eaa217beabf9b2e70N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c4cde42b704d740eaa217beabf9b2e70N.exe
Resource
win10v2004-20240802-en
General
-
Target
c4cde42b704d740eaa217beabf9b2e70N.exe
-
Size
428KB
-
MD5
c4cde42b704d740eaa217beabf9b2e70
-
SHA1
4d8c736e437189111b81d7194ae47f56925a0fa5
-
SHA256
89a96b801908c5740644378454ca5d6cff694109967a3c3823e43b00987a8f7e
-
SHA512
99d9c434bb2921251bbf238b976217996f15e19d98f88da4b35bee629a538458e216616b4d89df4ab88cca39713cbd232a64ed6720cf40f60a556c1b4f457fb2
-
SSDEEP
6144:gVdvczEb7GUOpYWhNVynE/mFDKKR79oLuhzxl8RBPBxFcbPRGXT0CO5rqHR:gZLolhNVyEOnWGFlwRubPRiT25rqHR
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1948 92CD.tmp -
Executes dropped EXE 1 IoCs
pid Process 1948 92CD.tmp -
Loads dropped DLL 1 IoCs
pid Process 2372 c4cde42b704d740eaa217beabf9b2e70N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4cde42b704d740eaa217beabf9b2e70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92CD.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1948 92CD.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1948 2372 c4cde42b704d740eaa217beabf9b2e70N.exe 31 PID 2372 wrote to memory of 1948 2372 c4cde42b704d740eaa217beabf9b2e70N.exe 31 PID 2372 wrote to memory of 1948 2372 c4cde42b704d740eaa217beabf9b2e70N.exe 31 PID 2372 wrote to memory of 1948 2372 c4cde42b704d740eaa217beabf9b2e70N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe"C:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\92CD.tmp"C:\Users\Admin\AppData\Local\Temp\92CD.tmp" --pingC:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe 8492400E37FE02B0B7CDEFFADDE6720BB47B70BB9ED8C32EB2FD78E2027B26339ECF8AFD0681C4C5919A20A20467966C63A1B2C41BBA975F344E39810615C7F22⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD5aa62f2976911cc31eb8eccee39b44d25
SHA135b688f63a64833871e57291f9297d0fc009cf21
SHA25654901de8cfb1ba270e1ba29df4c9b12a0618d32950b47dc81d7b2b1c1307fcdf
SHA5129aa6f71d74df99e7a2da2b94906a63f1b43fd0890a35afe3f797c1a58f000f9571e8cfc2e6b988952f663bd74309ff6946531c860fc25ffe39b4147d16adf90f