Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 04:07
Static task
static1
Behavioral task
behavioral1
Sample
Undertale_Free_Download_(v1.08).7z
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Undertale_Free_Download_(v1.08).7z
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
723.7z
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
723.7z
Resource
win10v2004-20240802-en
General
-
Target
723.7z
-
Size
10.5MB
-
MD5
55c0b65cc02aeaae2e6cbb94947b9c05
-
SHA1
f8f3434679aa154f38921d7c5b68787b6ef2ffb1
-
SHA256
b9d8f132826a61e15d1681f9ed82ab572fa182b062abc4d6e4e3291681dfb2b5
-
SHA512
49f216712b371fc73add2f24ac229c97034b374b408c6631619f115675803f95e1d28a375e5311af40e2fc3c0192b75eb65159ba7a7db91d9926f95a97dddc16
-
SSDEEP
196608:9lN05erlbndN+5Y4r+qFJ4epLK0g1MxBC1W4W7AyrIJzo0ba:9lN0EZdN+5Y4r+qFvpWwxqWCJPe
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2632 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2632 AcroRd32.exe 2632 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2080 3040 cmd.exe 31 PID 3040 wrote to memory of 2080 3040 cmd.exe 31 PID 3040 wrote to memory of 2080 3040 cmd.exe 31 PID 2080 wrote to memory of 2840 2080 rundll32.exe 33 PID 2080 wrote to memory of 2840 2080 rundll32.exe 33 PID 2080 wrote to memory of 2840 2080 rundll32.exe 33 PID 2840 wrote to memory of 2632 2840 rundll32.exe 35 PID 2840 wrote to memory of 2632 2840 rundll32.exe 35 PID 2840 wrote to memory of 2632 2840 rundll32.exe 35 PID 2840 wrote to memory of 2632 2840 rundll32.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\723.7z1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\723.7z"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b794b8cc05d5d234a90e6129162d9c3a
SHA193e2fcd6fb16f734facf5134d2c004bb3d0aa40e
SHA256f4fae3b1a9ab7f9de546ab54c99004712ad2a806949db704f63e7883ae25e31c
SHA512c7373ac181891e8d1761ad76e4861daf11ed0829b852e84052ac701936130b9f05396d6839d8f86bb4b0e835d847e4127ba0cc1489e07b29442ad4aa8477f716