Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe
Resource
win10v2004-20240802-en
General
-
Target
7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe
-
Size
816KB
-
MD5
4497e6474675472ba84cba0005e376b4
-
SHA1
4ec2c6b774c533051f7fbd14fcbac85b40a1b0c0
-
SHA256
7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a
-
SHA512
80168496989a83231f3cf770dd606108fa120c3507eea5f3c29185d0b6cd381792ea9b0480f2fb59331c9aba129721259ca6d182b490213da2c66b9787721850
-
SSDEEP
24576:xY4G2qLMJalsnqShyoo77lUabuSvbDQOOdIxJsG9H:u3XZynV4oDabuWbDQOcIxJJ9H
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2360 1A0B0B0F120B156E155D15B0D0A160A0D160F.exe -
Loads dropped DLL 2 IoCs
pid Process 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 2360 1A0B0B0F120B156E155D15B0D0A160A0D160F.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1A0B0B0F120B156E155D15B0D0A160A0D160F.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 940 wrote to memory of 2360 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 31 PID 940 wrote to memory of 2360 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 31 PID 940 wrote to memory of 2360 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 31 PID 940 wrote to memory of 2360 940 7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe"C:\Users\Admin\AppData\Local\Temp\7e151f108d0875a517919c761a0991c2766cc6e6770b9bd1b5bdd822465d2a0a.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\1A0B0B0F120B156E155D15B0D0A160A0D160F.exeC:\Users\Admin\AppData\Local\Temp\1A0B0B0F120B156E155D15B0D0A160A0D160F.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD5498b6fbc3c591d153004e56ccbd06eba
SHA1f40da18e2f04c4d44ede0dceaefe20243a1d7a34
SHA256ae0ea7dd90ab542e7e9bf8b09b27f59d87607eccb56b17fa022806747bfa65cc
SHA512a6324162eca5122731360912f20b6a267d699f0adcc3a18950b3a57a231aa9c44e3a2acb784bc2ca80497f49a4705e02ad429013327b934951c9b81595b14487