Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 15:24

General

  • Target

    d7d1fc2e7181c835679f6743e884b210N.exe

  • Size

    3.5MB

  • MD5

    d7d1fc2e7181c835679f6743e884b210

  • SHA1

    c9866d544b7042dc4bc795e5afe03ec54b4fb1eb

  • SHA256

    1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

  • SHA512

    7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484

  • SSDEEP

    49152:xaOLqZMLAxmB/Tv8lOzR7tQ0A5QGImYfujUkiVWEVPbhbIrs3xehOfqaJM2eH7bB:AOEMLA8bnGfjel4sB9fqUwJpVjwBE+nI

Malware Config

Signatures

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe
    "C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe
      C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe /q"C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}" /IS_temp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\0x0409.ini

    Filesize

    21KB

    MD5

    a108f0030a2cda00405281014f897241

    SHA1

    d112325fa45664272b08ef5e8ff8c85382ebb991

    SHA256

    8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

    SHA512

    d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

  • C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\_ISMSIDEL.INI

    Filesize

    704B

    MD5

    a66d35c68d1e7c05c03076f5b2505695

    SHA1

    9ea3c0a7c6d670941330867ef0f8f4649d28b500

    SHA256

    d71fd8714ad47320436ab0bf2e374cfcd46660ae0fb64236065022478c8a30d9

    SHA512

    b1eb7d905e6d042d6aae527ebacd2d30c1ec77f02be8f5636e1d6497aa2a114ed86da54690520cea45082c36a7ba98f1003b8c87cf683cf598e760543b73a296

  • C:\Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\~9C8F.tmp

    Filesize

    5KB

    MD5

    36353e59e20ea55c00e23d620d756183

    SHA1

    f060f69ef640ff01cc9c0a41d589e8c1775d1c80

    SHA256

    57c9362b54b8cfc79332d33ec3c8e0fbb8df7709435de6ae63667dd094c82a0b

    SHA512

    d31938a11574c1059040a7f878e7254b6ced7095bceb1cf56d29f3c7118bcf805459a284d25e3051f2fd56a48124064292377106beb02420ba24d0e523298ca0

  • \Users\Admin\AppData\Local\Temp\{075EB576-D25E-4A06-9CA9-69211EE966DE}\d7d1fc2e7181c835679f6743e884b210N.exe

    Filesize

    3.5MB

    MD5

    d7d1fc2e7181c835679f6743e884b210

    SHA1

    c9866d544b7042dc4bc795e5afe03ec54b4fb1eb

    SHA256

    1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

    SHA512

    7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484