Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
General
-
Target
install_check/check_db.exe
-
Size
88KB
-
MD5
a592ffbc6fcd0d0d77fa6a1eca6642bf
-
SHA1
2348c8f69971cdd388cdcf89a87db6a1afe62be2
-
SHA256
522257bfe27d80b388f1e1de8e073166ad1c268ee4b76f209e22bd923de5228d
-
SHA512
ad1a90089457b8b928a13183e41de6f7619e5011849eef3c32c4fd1713eab127b7e3c0bef1bf42a962945be1648a64bdacf08939a6256678676d44038bd2722a
-
SSDEEP
1536:zj7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf1wqOp:z/FfHgTWmCRkGbKGLeNTBf1O
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language check_db.exe -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 2256 cmd.exe 328 NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 328 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 328 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2448 1380 check_db.exe 31 PID 1380 wrote to memory of 2448 1380 check_db.exe 31 PID 1380 wrote to memory of 2448 1380 check_db.exe 31 PID 1380 wrote to memory of 2448 1380 check_db.exe 31 PID 2448 wrote to memory of 2256 2448 cmd.exe 32 PID 2448 wrote to memory of 2256 2448 cmd.exe 32 PID 2448 wrote to memory of 2256 2448 cmd.exe 32 PID 2256 wrote to memory of 328 2256 cmd.exe 33 PID 2256 wrote to memory of 328 2256 cmd.exe 33 PID 2256 wrote to memory of 328 2256 cmd.exe 33 PID 2256 wrote to memory of 3020 2256 cmd.exe 34 PID 2256 wrote to memory of 3020 2256 cmd.exe 34 PID 2256 wrote to memory of 3020 2256 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_check\check_db.exe"C:\Users\Admin\AppData\Local\Temp\install_check\check_db.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B3C5.tmp\B3C6.tmp\B3C7.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_db.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 94003⤵
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\system32\findstr.exefindstr 94004⤵PID:3020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD547e91d0986fc2672895f88a4ae0acfb8
SHA13b0cb06f8b84c71234c76b1a0c85246291296c8e
SHA25652354ca78b38bb80c53b380086a3871852715dbbfc2024cd2f040f98eea17350
SHA512625716c1e9c723693e43866c57d97ec2c387a329b735b62d6d382a7d0e9549271a39ec368cab317de83a58719984b441fc6f3c226dc5ef578c588687587648e0