Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 23:53
Static task
static1
Behavioral task
behavioral1
Sample
d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe
Resource
win10v2004-20240802-en
General
-
Target
d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe
-
Size
7.9MB
-
MD5
8d1307a9e1186f89399e2251998f1494
-
SHA1
d2614c64b38c812e1ceafdac6b5527b21dc4c6c3
-
SHA256
d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7
-
SHA512
496f235c39695b88358c96891fc61ca0440130dd9cfecdbc68d8c2747c9cdfac8b3d2542c49df82d01b3192ce04d5e343584df711e0049626f2c2028c78241b2
-
SSDEEP
196608:8Eazg7DSmEazg7DSmEazg7DSmEazg7DSN:Og7uYg7uYg7uYg7uN
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2684 7D57AD13E21.exe 2716 Scegli_nome_allegato.exe 2928 7D57AD13E21.exe -
Loads dropped DLL 3 IoCs
pid Process 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2684 set thread context of 2928 2684 7D57AD13E21.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D57AD13E21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Scegli_nome_allegato.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D57AD13E21.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Scegli_nome_allegato.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Scegli_nome_allegato.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2764 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2716 Scegli_nome_allegato.exe 2716 Scegli_nome_allegato.exe 2716 Scegli_nome_allegato.exe 2928 7D57AD13E21.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2764 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 31 PID 2352 wrote to memory of 2764 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 31 PID 2352 wrote to memory of 2764 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 31 PID 2352 wrote to memory of 2764 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 31 PID 2352 wrote to memory of 2684 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 33 PID 2352 wrote to memory of 2684 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 33 PID 2352 wrote to memory of 2684 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 33 PID 2352 wrote to memory of 2684 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 33 PID 2352 wrote to memory of 2716 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 34 PID 2352 wrote to memory of 2716 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 34 PID 2352 wrote to memory of 2716 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 34 PID 2352 wrote to memory of 2716 2352 d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe 34 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35 PID 2684 wrote to memory of 2928 2684 7D57AD13E21.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe"C:\Users\Admin\AppData\Local\Temp\d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
-
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD55e4f99cb14d42e45073feabc4da5ae64
SHA1b6fd25a25569d082da98e8e47b48b8ad07dae533
SHA256863f22bb966f4d1e92b1e1993f441695eb32187172e363e71f41f7377b346692
SHA5126baa4b5f8635b5bf6635b4bd4c9fb2dbda6a236c87d8b190ec5653f0b1545e3636706889a123ee2d37e7db968a4bb52bf386105ce6865a5d3db5ac5577cafa13
-
Filesize
1.0MB
MD5a2f259ceb892d3b0d1d121997c8927e3
SHA16e0a7239822b8d365d690a314f231286355f6cc6
SHA256ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA5125ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad