Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 23:12
Behavioral task
behavioral1
Sample
d11668d21bfa63da5e82ba90d3b0eba0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d11668d21bfa63da5e82ba90d3b0eba0N.exe
Resource
win10v2004-20240802-en
General
-
Target
d11668d21bfa63da5e82ba90d3b0eba0N.exe
-
Size
59KB
-
MD5
d11668d21bfa63da5e82ba90d3b0eba0
-
SHA1
78aad0cfc1c8b19e78a9ef3b7f77bd577ce232d7
-
SHA256
1419745b3f6ffe0db358fc0d321a2e9110f1d7088d59587db145b492cf514b48
-
SHA512
a54c7a14ec467896c14bd63a59033fcf6a170b71585ce23f0bb8819cdbc18358fc37c24420e6727071dbb720353cbfe2d245ebbfb08bc3f068bdd84f4724a84b
-
SSDEEP
1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQ+:OeodiUO4p13b9HiIeoutuh1aQ+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2884 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3032 AhnSvc.exe -
Loads dropped DLL 2 IoCs
pid Process 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe -
resource yara_rule behavioral1/memory/1728-0-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000700000001868b-8.dat upx behavioral1/memory/3032-10-0x0000000001170000-0x0000000001197000-memory.dmp upx behavioral1/memory/1728-11-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/3032-14-0x0000000001170000-0x0000000001197000-memory.dmp upx behavioral1/memory/3032-18-0x0000000001170000-0x0000000001197000-memory.dmp upx behavioral1/memory/1728-22-0x0000000000220000-0x0000000000247000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" d11668d21bfa63da5e82ba90d3b0eba0N.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d11668d21bfa63da5e82ba90d3b0eba0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe Token: SeDebugPrivilege 3032 AhnSvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 3032 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 31 PID 1728 wrote to memory of 3032 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 31 PID 1728 wrote to memory of 3032 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 31 PID 1728 wrote to memory of 3032 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 31 PID 1728 wrote to memory of 2884 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 32 PID 1728 wrote to memory of 2884 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 32 PID 1728 wrote to memory of 2884 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 32 PID 1728 wrote to memory of 2884 1728 d11668d21bfa63da5e82ba90d3b0eba0N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d11668d21bfa63da5e82ba90d3b0eba0N.exe"C:\Users\Admin\AppData\Local\Temp\d11668d21bfa63da5e82ba90d3b0eba0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\ProgramData\AhnLab\AhnSvc.exe"C:\ProgramData\AhnLab\AhnSvc.exe" /run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\d11668d21bfa63da5e82ba90d3b0eba0N.exe" >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5fbf613525aa8ad47f361159fbed34730
SHA1bf2c1d4472d7230552e47e0fb5bfe2c1dcad1ea1
SHA25604ef33459495ca082f5544f16ec1d16af76178a1d422c1cef593da23dadd7362
SHA51216896c97e89bab64ff9b5593dbc6bb623f5eeb2929656fe41242a01dabe4bab438156299da5a8182e991446e0c39ca5bbd7c1c2626bfa6073fd45c09cd15f392