Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 04:44
Behavioral task
behavioral1
Sample
026bddb8a2649f9a296d58fa64958130N.exe
Resource
win7-20240903-en
General
-
Target
026bddb8a2649f9a296d58fa64958130N.exe
-
Size
38KB
-
MD5
026bddb8a2649f9a296d58fa64958130
-
SHA1
72a05ce5a022fd36c367b295d4cc60c532037bde
-
SHA256
da0fe98ee2da7e9c071aba8565fe4cb915a45cdaf27dffdcf1f604db8fa5e85c
-
SHA512
e62a80a9cade95eb05d8a57500102e2ac7cb8bfd128d93df6793506f181881323dff38ba1e20a76cc145ba9942454f2a26d372248c73c38c10d5bbe4bdca4044
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOf:NWQa2TLEmITcoQxfllfmS1cOf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4260 smss.exe -
resource yara_rule behavioral2/memory/1292-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x00080000000234da-5.dat upx behavioral2/memory/1292-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4260-13-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe 026bddb8a2649f9a296d58fa64958130N.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2276 sc.exe 228 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026bddb8a2649f9a296d58fa64958130N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1292 026bddb8a2649f9a296d58fa64958130N.exe 4260 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2276 1292 026bddb8a2649f9a296d58fa64958130N.exe 83 PID 1292 wrote to memory of 2276 1292 026bddb8a2649f9a296d58fa64958130N.exe 83 PID 1292 wrote to memory of 2276 1292 026bddb8a2649f9a296d58fa64958130N.exe 83 PID 1292 wrote to memory of 4260 1292 026bddb8a2649f9a296d58fa64958130N.exe 85 PID 1292 wrote to memory of 4260 1292 026bddb8a2649f9a296d58fa64958130N.exe 85 PID 1292 wrote to memory of 4260 1292 026bddb8a2649f9a296d58fa64958130N.exe 85 PID 4260 wrote to memory of 228 4260 smss.exe 86 PID 4260 wrote to memory of 228 4260 smss.exe 86 PID 4260 wrote to memory of 228 4260 smss.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\026bddb8a2649f9a296d58fa64958130N.exe"C:\Users\Admin\AppData\Local\Temp\026bddb8a2649f9a296d58fa64958130N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD596ac46b059c706aa24eab0f0550dfb51
SHA119fc5c8fa966f709a7a739aecad5d7f2d8a49621
SHA2561d0674f371394100fa42930dff5651dbaeef002c3bf059643bb93586084ac705
SHA512ea5ac8358b4bf96f5fdb548cb33980e3f178cf90bf94b02545499c9b9f0833cec95bbc44263c725696fe328e017e83eaf603a872d26a85a4f2587f20cb766482