Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 06:26

General

  • Target

    file.exe

  • Size

    513KB

  • MD5

    24d4de7a804e44b43ee293956d95dc67

  • SHA1

    d9640dc6ce7eb3fd177e3365079f29871788575c

  • SHA256

    5a47bd114995212a9166e197e412736b01ed55036a580b0cf0622622b030ae5f

  • SHA512

    337dd06a4060142313bc6bf7bba1874f976b04997b4d9e60ca2f6f84e44973ae9f24c9fb4bc20e735c48b01e46c1dafd8154f169fad2c6757c45a286f668a0c2

  • SSDEEP

    12288:WQFk0OkQKiNU3oYb/dejj6PVGHyu0u0+RlBbK3Q:W/PYpejj6PVYyuv0+RlBbH

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Laurette=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Stanget.Sem';$Mfindtlig=$Laurette.SubString(14233,3);.$Mfindtlig($Laurette)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Detenterne\Pathicism.Cat

    Filesize

    305KB

    MD5

    55fd2c7c3d4ee548d056d729614b5b8f

    SHA1

    632536dcfbfac012cb5d16ab2b2b8387ec65eb6d

    SHA256

    5516cabea74d1ef326c764aec8b9350592d98268982c4ed6a3b2a1f3602edef1

    SHA512

    e301aa1109ad455416c5f994161751d71564173302c8f2e04e88fdc8c8e8900964f93e12d4c2e9e5db41384fd705e16f3f74c5963dfba4a612d836fa5ccf686a

  • C:\Users\Admin\AppData\Local\Detenterne\Stanget.Sem

    Filesize

    52KB

    MD5

    c1e3ebc52541f2f81f7e0e47bda1a016

    SHA1

    66f1918254819903fc670960c7f1156cea533706

    SHA256

    7d2a8552a6abf6e993bc87edfc632d42b3e220deb3ea3cd0f33ae0415576ba27

    SHA512

    e03946b221d9f27593515d6da5fc4746c52373bf16327ea9670c01f2876fecdc6121c96144d68bf4b6404bfe729c4000b0c3461363c95bf0e994b9ad541ac725

  • memory/2284-8-0x0000000074581000-0x0000000074582000-memory.dmp

    Filesize

    4KB

  • memory/2284-12-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-11-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-10-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-9-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-14-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-16-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-17-0x0000000006640000-0x000000000AE91000-memory.dmp

    Filesize

    72.3MB

  • memory/2284-18-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2536-19-0x0000000000310000-0x0000000001372000-memory.dmp

    Filesize

    16.4MB