Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 11:28
Static task
static1
Behavioral task
behavioral1
Sample
9e3494c7374253afde5c470190cd72d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9e3494c7374253afde5c470190cd72d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
9e3494c7374253afde5c470190cd72d0N.exe
-
Size
40KB
-
MD5
9e3494c7374253afde5c470190cd72d0
-
SHA1
c1db0a716d34ef279c974fcb911cdc08da6518c1
-
SHA256
62e586e60e654c73d0ed6f9b3a3ca7f701259e8ef4a49ae4a162580803d2edde
-
SHA512
c8558e073b85f78ed2c9bd364d3516f1ee9090a746c595dd6bc956051d07b001b19e11e8a37c2754a0d3fef81042141f214d9acad794d5e4c25db9726dbcf4d7
-
SSDEEP
768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAjU+Eh6Io:e6q10k0EFjed6rqJ+6vghzwYu7vih9GE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2428 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 9e3494c7374253afde5c470190cd72d0N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 9e3494c7374253afde5c470190cd72d0N.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e3494c7374253afde5c470190cd72d0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2428 2540 9e3494c7374253afde5c470190cd72d0N.exe 30 PID 2540 wrote to memory of 2428 2540 9e3494c7374253afde5c470190cd72d0N.exe 30 PID 2540 wrote to memory of 2428 2540 9e3494c7374253afde5c470190cd72d0N.exe 30 PID 2540 wrote to memory of 2428 2540 9e3494c7374253afde5c470190cd72d0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3494c7374253afde5c470190cd72d0N.exe"C:\Users\Admin\AppData\Local\Temp\9e3494c7374253afde5c470190cd72d0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5f7079462af4ce55b290c386549044ead
SHA16ec56dfd4dfd7d0c5d7edab0577b3724c1ceae28
SHA2563a71bca9bd1695ca87f9c01030ef15030890bf4f1c8269cb9bf41dc424136561
SHA512bfa38850f1f59c2ed46fbf9543be90b672b762a467166c9713e56eb663dcc4aed7b0debfeb4f821796cd41c5d4fc03226199635fbe7e461c980f489f3cd16711