Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
General
-
Target
file.exe
-
Size
513KB
-
MD5
24d4de7a804e44b43ee293956d95dc67
-
SHA1
d9640dc6ce7eb3fd177e3365079f29871788575c
-
SHA256
5a47bd114995212a9166e197e412736b01ed55036a580b0cf0622622b030ae5f
-
SHA512
337dd06a4060142313bc6bf7bba1874f976b04997b4d9e60ca2f6f84e44973ae9f24c9fb4bc20e735c48b01e46c1dafd8154f169fad2c6757c45a286f668a0c2
-
SSDEEP
12288:WQFk0OkQKiNU3oYb/dejj6PVGHyu0u0+RlBbK3Q:W/PYpejj6PVYyuv0+RlBbH
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2284 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2284 powershell.exe 2536 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 2536 2284 powershell.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2284 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2284 2172 file.exe 30 PID 2172 wrote to memory of 2284 2172 file.exe 30 PID 2172 wrote to memory of 2284 2172 file.exe 30 PID 2172 wrote to memory of 2284 2172 file.exe 30 PID 2284 wrote to memory of 2536 2284 powershell.exe 33 PID 2284 wrote to memory of 2536 2284 powershell.exe 33 PID 2284 wrote to memory of 2536 2284 powershell.exe 33 PID 2284 wrote to memory of 2536 2284 powershell.exe 33 PID 2284 wrote to memory of 2536 2284 powershell.exe 33 PID 2284 wrote to memory of 2536 2284 powershell.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Laurette=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Stanget.Sem';$Mfindtlig=$Laurette.SubString(14233,3);.$Mfindtlig($Laurette)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD555fd2c7c3d4ee548d056d729614b5b8f
SHA1632536dcfbfac012cb5d16ab2b2b8387ec65eb6d
SHA2565516cabea74d1ef326c764aec8b9350592d98268982c4ed6a3b2a1f3602edef1
SHA512e301aa1109ad455416c5f994161751d71564173302c8f2e04e88fdc8c8e8900964f93e12d4c2e9e5db41384fd705e16f3f74c5963dfba4a612d836fa5ccf686a
-
Filesize
52KB
MD5c1e3ebc52541f2f81f7e0e47bda1a016
SHA166f1918254819903fc670960c7f1156cea533706
SHA2567d2a8552a6abf6e993bc87edfc632d42b3e220deb3ea3cd0f33ae0415576ba27
SHA512e03946b221d9f27593515d6da5fc4746c52373bf16327ea9670c01f2876fecdc6121c96144d68bf4b6404bfe729c4000b0c3461363c95bf0e994b9ad541ac725