Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
e00e260dcd3db9f92382c39152fdd820N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e00e260dcd3db9f92382c39152fdd820N.exe
Resource
win10v2004-20240802-en
General
-
Target
e00e260dcd3db9f92382c39152fdd820N.exe
-
Size
49KB
-
MD5
e00e260dcd3db9f92382c39152fdd820
-
SHA1
cfcba24a21814e1cfdd6e0c138b5dca95c047a4a
-
SHA256
b76c769c954a976e811bb74283993ae508f3ff98753f3ac5f35037a5d0bf7fc2
-
SHA512
37908f82ff253b4fd6ef65623f3c1b09ac0371968bee046e8d74fcdaf2929af342b6fc41bd697f46e17d24ad8badefc3b276c31b69db7babf1302bbf24e64cf0
-
SSDEEP
1536:NLI4qg9+Q/KMJqSsGpdNmLUIsWsdM5T233Z:Bb/jq0LNmLUIsWsdM5T233Z
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2676 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 fwehost.exe -
resource yara_rule behavioral1/memory/2624-0-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2624-5-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-11-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-12-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-14-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-16-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-17-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2672-19-0x0000000010000000-0x000000001000E000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\fwehost.exe e00e260dcd3db9f92382c39152fdd820N.exe File opened for modification C:\Windows\Debug\fwehost.exe e00e260dcd3db9f92382c39152fdd820N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00e260dcd3db9f92382c39152fdd820N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwehost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fwehost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz fwehost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2624 e00e260dcd3db9f92382c39152fdd820N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2676 2624 e00e260dcd3db9f92382c39152fdd820N.exe 31 PID 2624 wrote to memory of 2676 2624 e00e260dcd3db9f92382c39152fdd820N.exe 31 PID 2624 wrote to memory of 2676 2624 e00e260dcd3db9f92382c39152fdd820N.exe 31 PID 2624 wrote to memory of 2676 2624 e00e260dcd3db9f92382c39152fdd820N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e00e260dcd3db9f92382c39152fdd820N.exe"C:\Users\Admin\AppData\Local\Temp\e00e260dcd3db9f92382c39152fdd820N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E00E26~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\Debug\fwehost.exeC:\Windows\Debug\fwehost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD555874ff0803453a9bcfafa4641c30b29
SHA11a3ad9910546878bf9bda2b334edcb3c0591addd
SHA256287b7b5862ba0f0dd3966742c29141801bbb7affa664807b58835dd2e254e6f9
SHA512f2d3c1ab82bd3f3d6ac59dd070c824119910a06d44eca6c736822afefef81afd8642f051f4215e7d0730e9159d5a9a6f7b4a4403afb4f6988b6fd66d47d3c516