Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
General
-
Target
install_check/check_meta.exe
-
Size
89KB
-
MD5
154d4585534f8f8dfde2275f4dd2bb06
-
SHA1
9510340a04b94f53681851424a67cd9530081c50
-
SHA256
06e4874e142b3c5a6891b7476cf6932be27497139fef536ae0da61723a53c5f0
-
SHA512
9daa4c336bab9825eba50942432d5592ac755540a7a56bafe4459fe62b7317866111b3b29c4704e426d5a39c8deba77eca2d3a5c5113155f28420816a5d81101
-
SSDEEP
1536:I87ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfSwrO2:ISFfHgTWmCRkGbKGLeNTBfS0
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language check_meta.exe -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 2280 cmd.exe 2860 NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2860 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 784 wrote to memory of 2652 784 check_meta.exe 84 PID 784 wrote to memory of 2652 784 check_meta.exe 84 PID 2652 wrote to memory of 2280 2652 cmd.exe 85 PID 2652 wrote to memory of 2280 2652 cmd.exe 85 PID 2280 wrote to memory of 2860 2280 cmd.exe 86 PID 2280 wrote to memory of 2860 2280 cmd.exe 86 PID 2280 wrote to memory of 1616 2280 cmd.exe 87 PID 2280 wrote to memory of 1616 2280 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\73E8.tmp\73E9.tmp\73EA.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 101003⤵
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\system32\findstr.exefindstr 101004⤵PID:1616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399B
MD5a7c949c451cb9ccbd27dfec42aa17a01
SHA17ddb28b45060b2726f1b0bb003b329dc923b0e59
SHA256668383a4c8513eaf7ad526b3efc54f7f73f5f42b3762633f817ab3da86e8d47d
SHA5125001701b87b7379e5634c8fb928fcd436061d6c4e2ad738c320169f62786dbfdb604f90e7edd8f5954c7117707829be3d0f65d863a849f1acfe513f27735d1e0