Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 05:09
Behavioral task
behavioral1
Sample
teur4.exe
Resource
win7-20240903-en
General
-
Target
teur4.exe
-
Size
615KB
-
MD5
b3e46b8cbe83d0e6002173c37e8436a7
-
SHA1
de994b98fac3f9499ee15c3ccf859ef05db14b62
-
SHA256
35f20c8ae6e9990812b6ccf20321af32662bcf76d8c27a800f086255911bfb6b
-
SHA512
5f9a07740d76c9407160029655a9b66a50e136b63abd071c79106d2339b6951c28397f441cec7c99d968706ed7bd4e01288459bf22e0489fca646eccf0dc57f8
-
SSDEEP
12288:3Ui+Sybja8AwVReTD7oB++4clgVY3fYNKfPTksjUTyKJrVSo5flO9dJu:3KSybm8AaRiE+wy2PYNCQIWVd5cw
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3028 teur4.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 teur4.exe -
Loads dropped DLL 1 IoCs
pid Process 2672 teur4.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x0005000000010300-16.dat upx behavioral1/memory/3028-28-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 pastebin.com -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teur4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teur4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2672 teur4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2672 teur4.exe 3028 teur4.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3028 2672 teur4.exe 31 PID 2672 wrote to memory of 3028 2672 teur4.exe 31 PID 2672 wrote to memory of 3028 2672 teur4.exe 31 PID 2672 wrote to memory of 3028 2672 teur4.exe 31 PID 3028 wrote to memory of 2944 3028 teur4.exe 32 PID 3028 wrote to memory of 2944 3028 teur4.exe 32 PID 3028 wrote to memory of 2944 3028 teur4.exe 32 PID 3028 wrote to memory of 2944 3028 teur4.exe 32 PID 3028 wrote to memory of 2708 3028 teur4.exe 34 PID 3028 wrote to memory of 2708 3028 teur4.exe 34 PID 3028 wrote to memory of 2708 3028 teur4.exe 34 PID 3028 wrote to memory of 2708 3028 teur4.exe 34 PID 2708 wrote to memory of 2620 2708 cmd.exe 36 PID 2708 wrote to memory of 2620 2708 cmd.exe 36 PID 2708 wrote to memory of 2620 2708 cmd.exe 36 PID 2708 wrote to memory of 2620 2708 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\teur4.exe"C:\Users\Admin\AppData\Local\Temp\teur4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\teur4.exeC:\Users\Admin\AppData\Local\Temp\teur4.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\teur4.exe" /TN vphawsPt128a /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN vphawsPt128a > C:\Users\Admin\AppData\Local\Temp\i5cJFMUSh.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN vphawsPt128a4⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51eca9bc76acd870c5d51b9692717e77f
SHA1f3045272c3a5356c030b78a3b280fd0debf177c9
SHA256cc326b6e66ea9f19c3fa2230cd2fab514296f635359b64d91a780220fa7bf663
SHA512c311fdabd4b554ca971dfad55cf232634144c9a08081a57593c7deb61713b58f98a5d6b921b46f698817f76fcc48482440a64e042fb03decd01629d1d1e463b8
-
Filesize
615KB
MD52e38baeae2ba1db7d29fe16b8c74f93a
SHA1d41e909eb38542032b064d033e139a2669092977
SHA2562fa067156ae80576a9fc02f95e239f019ab67e65067f49c84b8339451b4d3b85
SHA512bd842c00ae041856ebce20e043b208c64210f555187421c15b82837f67515e65762fd96a088bea8a72e4e5fc8358fd6aebda48c0e4c045276bb37eb4746df176