Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
d3c072b721fbc0d53dd75e1e59238020N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d3c072b721fbc0d53dd75e1e59238020N.exe
Resource
win10v2004-20240910-en
General
-
Target
d3c072b721fbc0d53dd75e1e59238020N.exe
-
Size
358KB
-
MD5
d3c072b721fbc0d53dd75e1e59238020
-
SHA1
8a21b2eea085874c14554538cafbe1a99acaf10d
-
SHA256
67b059bd1eb166b8aa77519605a44d4a13963dc3a24aeac952726db5e315becd
-
SHA512
7580bddd6b8a1c21476fa79e1b1d530b5c55c2ae7437a74cac2ce4dec21b670aa170b9f0db1831650fbd72d17c541e3bcf449f2e9b8b59354821a84351b93a8d
-
SSDEEP
6144:XRobyqO195qa8gjAh+jq203vATD2NLDa48An2N2FSmksqtB9:XWbyqO19D8gjBjmukXx5pesqr9
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run d3c072b721fbc0d53dd75e1e59238020N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FQLXIZ = "C:\\Windows\\SysWOW64\\aaclientb.exe" d3c072b721fbc0d53dd75e1e59238020N.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts aaclientb.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d3c072b721fbc0d53dd75e1e59238020N.exe -
Deletes itself 1 IoCs
pid Process 2592 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2716 aaclientb.exe -
Loads dropped DLL 2 IoCs
pid Process 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 2084 d3c072b721fbc0d53dd75e1e59238020N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d3c072b721fbc0d53dd75e1e59238020N.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\aaclientb.exe d3c072b721fbc0d53dd75e1e59238020N.exe File created C:\Windows\SysWOW64\aaclientb.exe d3c072b721fbc0d53dd75e1e59238020N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3c072b721fbc0d53dd75e1e59238020N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aaclientb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2200 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 2084 d3c072b721fbc0d53dd75e1e59238020N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 d3c072b721fbc0d53dd75e1e59238020N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2716 aaclientb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2716 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 30 PID 2084 wrote to memory of 2716 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 30 PID 2084 wrote to memory of 2716 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 30 PID 2084 wrote to memory of 2716 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 30 PID 2716 wrote to memory of 2200 2716 aaclientb.exe 32 PID 2716 wrote to memory of 2200 2716 aaclientb.exe 32 PID 2716 wrote to memory of 2200 2716 aaclientb.exe 32 PID 2716 wrote to memory of 2200 2716 aaclientb.exe 32 PID 2084 wrote to memory of 2592 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 34 PID 2084 wrote to memory of 2592 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 34 PID 2084 wrote to memory of 2592 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 34 PID 2084 wrote to memory of 2592 2084 d3c072b721fbc0d53dd75e1e59238020N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3c072b721fbc0d53dd75e1e59238020N.exe"C:\Users\Admin\AppData\Local\Temp\d3c072b721fbc0d53dd75e1e59238020N.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\aaclientb.exeC:\Windows\SysWOW64\aaclientb.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins176.bat "C:\Users\Admin\AppData\Local\Temp\d3c072b721fbc0d53dd75e1e59238020N.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
104KB
MD5476e102baeac3917dd6d44a58fd83bba
SHA1c8c406ccc0c4134519e50656d8c8d1bb346949f2
SHA256c1c900e1dce978f7d47a23fed43b9f4640d8f139f0c6e2cdfdc4720acffe7d84
SHA51216b8235b35cd69fae76ad2a7411b70ee3e0c0f52f1e7b3a359fc20cd08fadf0b6f54c20330326c6233087b58dc46cfbaeb8d197a495de6cb10f140c55c7b5303