Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Resource
win10v2004-20240802-en
General
-
Target
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
-
Size
223KB
-
MD5
e62b87ba4ca60a4acd9b0cc026b5c580
-
SHA1
32496b168bf717b5c095cff2a0cc5d3fb062cf99
-
SHA256
65de25d4592677bf18d2ca1fda71800b22e2a97d2a8180bb8c910d2e308025f6
-
SHA512
48f2fac4eeb43878abc6ba4da91ee71ac967b395a7deb9f6f428bde08d64c752c54f0193933979f0378d54dbd2cc3ba1e349b8443d6b02c1d3b9c0e61295b467
-
SSDEEP
1536:0QqX1EEpwljTSWebPmgPB6FVqX+O3m/TkmL4oDHTjCWSpAnE5s:A1UpoqQ+ICakHdSpAnA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2052 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\T: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\P: explorer.exe File opened (read-only) \??\K: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\T: explorer.exe File opened (read-only) \??\O: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\R: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\S: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\N: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\L: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\M: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\U: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\V: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\S: explorer.exe File opened (read-only) \??\I: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\P: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\E: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\G: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\H: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\J: e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "050044095052045078088033051037074250072066091121201100103130105046000118048236211199163193060056035032" e62b87ba4ca60a4acd9b0cc026b5c580N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile e62b87ba4ca60a4acd9b0cc026b5c580N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2052 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2052 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 30 PID 1984 wrote to memory of 2052 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 30 PID 1984 wrote to memory of 2052 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 30 PID 1984 wrote to memory of 2052 1984 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe"C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\explorer.exeC:\Users\explorer.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5ce091b260266c9bb8b2f42bac066d9f2
SHA116273df007a29087a59ff2940dc10a0664fe091f
SHA256ff8ac181c941e99b19f1f51324fa69bd3951c3e1b71f968c2b720a7f9d05bec1
SHA512d67e72e80e15daca64ca92841574f2d17cb5bc5dc46ac355a1a7018c91ebf046363492b3beebb98d6472d97bdd037c3de0c3d4759bf0fc8ae07b2666c286d2a5