Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
fd31eaf21124c3f1128bc62b851b7400N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fd31eaf21124c3f1128bc62b851b7400N.exe
Resource
win10v2004-20240802-en
General
-
Target
fd31eaf21124c3f1128bc62b851b7400N.exe
-
Size
39KB
-
MD5
fd31eaf21124c3f1128bc62b851b7400
-
SHA1
2dd88c5c2b77758ff6b9d495f0d17dd38a98d89e
-
SHA256
a14123f4907aff417a57d7aa0a54f489b738c6b4aed1b1656db71bdbb336e794
-
SHA512
bfe4d37f071fdcec0fecd4af34cb55288efcc3e45edb4be637d684398fc19a544760b4b9cc612979c349a26e20c18286fbd64aabcd1b26ae0386d6c987ba3993
-
SSDEEP
384:MApc8m4e0LvQac4JI341CNabnkIU0Sq0yDAU:MApQr0LvddJI34nTkIU0Eyn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1840 sal.exe -
Loads dropped DLL 2 IoCs
pid Process 2368 fd31eaf21124c3f1128bc62b851b7400N.exe 2368 fd31eaf21124c3f1128bc62b851b7400N.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\sal.exe fd31eaf21124c3f1128bc62b851b7400N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd31eaf21124c3f1128bc62b851b7400N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1840 2368 fd31eaf21124c3f1128bc62b851b7400N.exe 30 PID 2368 wrote to memory of 1840 2368 fd31eaf21124c3f1128bc62b851b7400N.exe 30 PID 2368 wrote to memory of 1840 2368 fd31eaf21124c3f1128bc62b851b7400N.exe 30 PID 2368 wrote to memory of 1840 2368 fd31eaf21124c3f1128bc62b851b7400N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe"C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\windows\SysWOW64\sal.exe"C:\windows\system32\sal.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5bc9937c3862acc948bf237086858e23c
SHA100eda705fd71e4976fb3da9dcc66cc9eb77ae387
SHA256f4d92080fb1da4eed01e3ade9f7fe507f75bc65ca780d37a873f6c36f9d36925
SHA5121f4536859a052fbf4f6c2c3087a2833886664e54ddfa7b97491ef4801dfb9009295aa48a3b2b859166743ed7175fa29e96d94348ca5ae9ef584c9d2eca5dda4d