Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 06:50
Static task
static1
Behavioral task
behavioral1
Sample
df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe
Resource
win10v2004-20240802-en
General
-
Target
df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe
-
Size
272KB
-
MD5
35d9b178e3b72d5c8c58bf8a39e13b40
-
SHA1
979d7fd6819a57f35dda490d34785e7493802b2a
-
SHA256
df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173b
-
SHA512
21ef136a54f315beabd4fcd416236361114785cf45e36bb12324bc12186404c6549e093891f70a9578f031f02f71aa4d9c3fd1fccdea29ae0ce783a86f8087ab
-
SSDEEP
6144:cLIYnkKVa4zxkQnmo1mEcbWo2Yi8zLH9yy6atBWOw:cLDmFDpVv97tA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2984 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
Executes dropped EXE 1 IoCs
pid Process 2984 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
Loads dropped DLL 1 IoCs
pid Process 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2984 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2984 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe 31 PID 2408 wrote to memory of 2984 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe 31 PID 2408 wrote to memory of 2984 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe 31 PID 2408 wrote to memory of 2984 2408 df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe"C:\Users\Admin\AppData\Local\Temp\df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exeC:\Users\Admin\AppData\Local\Temp\df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\df624b59d503cde2be198b6c2ccdf97f5f0e44382c9065e70f604703ae99173bN.exe
Filesize272KB
MD5f171fa95ac9a408bdee00f6db295777a
SHA16d2a5cd4ebcb7481b32d85552d986764abab0f9b
SHA256c29c3cde1b3e692ca0bef7858c8212d656e57bef4746002120631c521038f1f5
SHA512ae394a20547f7a905eb49748db4ce35cc686a6effbb96ccc90d91b9e3ca2e721b269264a0e2b66273ada28f7ce5ec1c7c0af805dd8ca012d3dc92b99872970ae