Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
General
-
Target
install_check/check_meta.exe
-
Size
89KB
-
MD5
154d4585534f8f8dfde2275f4dd2bb06
-
SHA1
9510340a04b94f53681851424a67cd9530081c50
-
SHA256
06e4874e142b3c5a6891b7476cf6932be27497139fef536ae0da61723a53c5f0
-
SHA512
9daa4c336bab9825eba50942432d5592ac755540a7a56bafe4459fe62b7317866111b3b29c4704e426d5a39c8deba77eca2d3a5c5113155f28420816a5d81101
-
SSDEEP
1536:I87ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfSwrO2:ISFfHgTWmCRkGbKGLeNTBfS0
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language check_meta.exe -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 1848 cmd.exe 1040 NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1040 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1040 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2560 2380 check_meta.exe 31 PID 2380 wrote to memory of 2560 2380 check_meta.exe 31 PID 2380 wrote to memory of 2560 2380 check_meta.exe 31 PID 2380 wrote to memory of 2560 2380 check_meta.exe 31 PID 2560 wrote to memory of 1848 2560 cmd.exe 32 PID 2560 wrote to memory of 1848 2560 cmd.exe 32 PID 2560 wrote to memory of 1848 2560 cmd.exe 32 PID 1848 wrote to memory of 1040 1848 cmd.exe 33 PID 1848 wrote to memory of 1040 1848 cmd.exe 33 PID 1848 wrote to memory of 1040 1848 cmd.exe 33 PID 1848 wrote to memory of 2060 1848 cmd.exe 34 PID 1848 wrote to memory of 2060 1848 cmd.exe 34 PID 1848 wrote to memory of 2060 1848 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7F7C.tmp\7F7D.tmp\7F7E.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 101003⤵
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\system32\findstr.exefindstr 101004⤵PID:2060
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399B
MD5a7c949c451cb9ccbd27dfec42aa17a01
SHA17ddb28b45060b2726f1b0bb003b329dc923b0e59
SHA256668383a4c8513eaf7ad526b3efc54f7f73f5f42b3762633f817ab3da86e8d47d
SHA5125001701b87b7379e5634c8fb928fcd436061d6c4e2ad738c320169f62786dbfdb604f90e7edd8f5954c7117707829be3d0f65d863a849f1acfe513f27735d1e0