Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
e92c5c3cc78af41efb17022c1414c6a0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e92c5c3cc78af41efb17022c1414c6a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
e92c5c3cc78af41efb17022c1414c6a0N.exe
-
Size
1.3MB
-
MD5
e92c5c3cc78af41efb17022c1414c6a0
-
SHA1
f2b10376e417b54f117007b5448dd9bdfe802cde
-
SHA256
98af60800b57e7056d03dc59760801052cda5d9bd6fed8efb2cdb4fdd821e2ab
-
SHA512
8a503afef0538918d835ce9e1a31968668eeef9b5d15b80a2bc7b263b0f30e0b35be7f2e2e378564bd9ea4134520b009b0a4a2517a8db51733a86e70f0316c51
-
SSDEEP
24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8arMchWbRVBwTpWrQJW86I2:9TvC/MTQYxsWR7arMwgbB0Wc
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e92c5c3cc78af41efb17022c1414c6a0N.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30 PID 2212 wrote to memory of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30 PID 2212 wrote to memory of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30 PID 2212 wrote to memory of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30 PID 2212 wrote to memory of 2696 2212 e92c5c3cc78af41efb17022c1414c6a0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e92c5c3cc78af41efb17022c1414c6a0N.exe"C:\Users\Admin\AppData\Local\Temp\e92c5c3cc78af41efb17022c1414c6a0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\e92c5c3cc78af41efb17022c1414c6a0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD58f100ccc6c59f37f1d020da70f016b38
SHA16f4e8db78acb46fa98ad93362635ffe0cf37c177
SHA25645e269e71b34d8839728989d33a0fe1e6a6e5eaa4009a3bb28dcc09e542c7f53
SHA51299b254ea8948d71859dd6d997683d80e9f742b8080979c79e7e9238c018837b55ed3a14576f1a9592cab82a636a97a6cfacce7af37287af4d0062331c32aa7f6