Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
f388543b1ec603de7ce734ed52cf4440N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f388543b1ec603de7ce734ed52cf4440N.exe
Resource
win10v2004-20240802-en
General
-
Target
f388543b1ec603de7ce734ed52cf4440N.exe
-
Size
39KB
-
MD5
f388543b1ec603de7ce734ed52cf4440
-
SHA1
b211b7575917d32faa4313454adbbcfbf8d84906
-
SHA256
9d7a132513bbd6356eaefcb3ecea2487c95ffcd3bf5b8c4c937556d7f7ddfc1e
-
SHA512
b3516a20a7f400ced2c6212de38c1d6954866a5547eb85fb98e20d77c865eee8e743194725600a748522f53aba61a3dd172195b4f9b06398c322f965b676f825
-
SSDEEP
768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAcBHUIFvq:e6q10k0EFjed6rqJ+6vghzwYu7vih9GE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2620 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" f388543b1ec603de7ce734ed52cf4440N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\HidePlugin.dll microsofthelp.exe File created C:\Windows\microsofthelp.exe f388543b1ec603de7ce734ed52cf4440N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f388543b1ec603de7ce734ed52cf4440N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2620 2488 f388543b1ec603de7ce734ed52cf4440N.exe 31 PID 2488 wrote to memory of 2620 2488 f388543b1ec603de7ce734ed52cf4440N.exe 31 PID 2488 wrote to memory of 2620 2488 f388543b1ec603de7ce734ed52cf4440N.exe 31 PID 2488 wrote to memory of 2620 2488 f388543b1ec603de7ce734ed52cf4440N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f388543b1ec603de7ce734ed52cf4440N.exe"C:\Users\Admin\AppData\Local\Temp\f388543b1ec603de7ce734ed52cf4440N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD574c96d12ba87dcc9221561975e846e7c
SHA19edc0036fccfecbd12b642463a5d225a915cbc82
SHA2566da522bca80bf7670c585e6e7d5b09fd977387595befbbcfe7c109837cd26680
SHA5120e87a8309d024cd54abe31817f529f18f7b0d4b1020c812bdfba219b51a59e4d76a4d8bb40900af059e607ef36da3ca8b83a6b024e9e979a43241fb4db8d0c3e