Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 18:15

General

  • Target

    e00e260dcd3db9f92382c39152fdd820N.exe

  • Size

    49KB

  • MD5

    e00e260dcd3db9f92382c39152fdd820

  • SHA1

    cfcba24a21814e1cfdd6e0c138b5dca95c047a4a

  • SHA256

    b76c769c954a976e811bb74283993ae508f3ff98753f3ac5f35037a5d0bf7fc2

  • SHA512

    37908f82ff253b4fd6ef65623f3c1b09ac0371968bee046e8d74fcdaf2929af342b6fc41bd697f46e17d24ad8badefc3b276c31b69db7babf1302bbf24e64cf0

  • SSDEEP

    1536:NLI4qg9+Q/KMJqSsGpdNmLUIsWsdM5T233Z:Bb/jq0LNmLUIsWsdM5T233Z

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e00e260dcd3db9f92382c39152fdd820N.exe
    "C:\Users\Admin\AppData\Local\Temp\e00e260dcd3db9f92382c39152fdd820N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E00E26~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2676
  • C:\Windows\Debug\fwehost.exe
    C:\Windows\Debug\fwehost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\fwehost.exe

    Filesize

    49KB

    MD5

    55874ff0803453a9bcfafa4641c30b29

    SHA1

    1a3ad9910546878bf9bda2b334edcb3c0591addd

    SHA256

    287b7b5862ba0f0dd3966742c29141801bbb7affa664807b58835dd2e254e6f9

    SHA512

    f2d3c1ab82bd3f3d6ac59dd070c824119910a06d44eca6c736822afefef81afd8642f051f4215e7d0730e9159d5a9a6f7b4a4403afb4f6988b6fd66d47d3c516

  • memory/2624-0-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2624-5-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-11-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-12-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-14-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-16-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-17-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

  • memory/2672-19-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB