Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
Resource
win10v2004-20240802-en
General
-
Target
5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
-
Size
2.3MB
-
MD5
c448e7ba48015f2161bcdc520efdd0be
-
SHA1
9ad690b77c7809b44d7816ea2d0dfdae05a82989
-
SHA256
5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f
-
SHA512
b41371f280bc93a58233f0623b6321e364e722977e99529b025bf9d2d8a43ad32d577bf8b007f3698471cf0af5376d5e4e2369ee407a9bfdab4b7e24d9a17a16
-
SSDEEP
49152:6kQTAQfGuxOtReiPjyuECu02Qo81wnXy1DQnC:6ayxOTVeXTQrwilQnC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2780 ren.exe 2556 uHaR0zLcjq.exe -
Loads dropped DLL 4 IoCs
pid Process 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 2780 ren.exe 2556 uHaR0zLcjq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uHaR0zLcjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ren.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 2780 ren.exe 2780 ren.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe 2556 uHaR0zLcjq.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2780 ren.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe Token: SeDebugPrivilege 2780 ren.exe Token: SeDebugPrivilege 2556 uHaR0zLcjq.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1424 wrote to memory of 2780 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 29 PID 1424 wrote to memory of 2780 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 29 PID 1424 wrote to memory of 2780 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 29 PID 1424 wrote to memory of 2780 1424 5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 29 PID 2780 wrote to memory of 2556 2780 ren.exe 30 PID 2780 wrote to memory of 2556 2780 ren.exe 30 PID 2780 wrote to memory of 2556 2780 ren.exe 30 PID 2780 wrote to memory of 2556 2780 ren.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe"C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\ren.exe"C:\Users\Admin\AppData\Local\Temp\ren.exe" C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 14242⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\uHaR0zLcjq.exe"C:\Users\Admin\AppData\Local\Temp\uHaR0zLcjq.exe" run 27803⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5672365dc12ed9cb67d87a1c2bec793bf
SHA19b1790840b7fb90a432785d14360fd4212218523
SHA25600e6139175c16eb631fba2ee133365eb8ab1d0f764e921cc145096a9dda25c3b
SHA512e498ff7a4c29171a2b66602a3289d9d0d3263731627531961674430d78f6ca2b54c47df301cd175a61ed1a39b10d14d58fe20a4babb65ddf4741e389abd608dc
-
Filesize
67KB
MD5b48ee45a24990664d7392baeef2fe115
SHA104f6578a3b2461938b48f5bf9c6160a209cd30c4
SHA2562100f1991075959c04fb3f5acb994cc229f47523fddd7357887135ea27624a94
SHA512c960f132567a6c0030f23a6fc48ac19cc4db59b9852adb2253ebbaf837257e2cc5baf7e6598a2d58f6fe94bd7743ff124cc6b79fcabe658847caa0f3b796cfbb
-
Filesize
180KB
MD5f636949e31ebde732ed742647d114aef
SHA1ea8f00281cad5554be7e0f9399c7575e40ee5eeb
SHA25673f6b7c9d2c8bd72ff05b9476fe13c31d81a62304e33951282837de59090ad52
SHA512e81b5eb76a9bf11dabc444f33f0293b0099d409b9256ce33793e89cac80244899561d575d2b9136a53d5b30dfb980576fbf58402ad5f7c36544273bc87966715