Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
9kk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9kk.exe
Resource
win10v2004-20240802-en
General
-
Target
9kk.exe
-
Size
381KB
-
MD5
f5a1956973dce107d4c0b6267ce88870
-
SHA1
79a19513d7c9cff939f2881c4172a05dbaef735b
-
SHA256
7b794c5bdb820791f0359da90a9a4f258412b8feef9c6e6a0411f6aead9d3a04
-
SHA512
f42180c75c0ae8dc083c6fff98a66c0d875fadb400d7945816ea330a54777632a3a7752d3e78b90e45f58ed3d04d6708b1dcea51d82711356e6d14e405a7c579
-
SSDEEP
6144:1v60lgEVBlU2GTOMzuC/cuVXRCEPZG03ZrkZdlBF4P+/G1GB64iL7yMsEO:1vBLblUlH5LXPZd3Z4ZdlBWPsQGB64iQ
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2648 set thread context of 2712 2648 9kk.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 2592 2712 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9kk.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2900 2648 9kk.exe 31 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2648 wrote to memory of 2712 2648 9kk.exe 32 PID 2712 wrote to memory of 2592 2712 RegAsm.exe 33 PID 2712 wrote to memory of 2592 2712 RegAsm.exe 33 PID 2712 wrote to memory of 2592 2712 RegAsm.exe 33 PID 2712 wrote to memory of 2592 2712 RegAsm.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9kk.exe"C:\Users\Admin\AppData\Local\Temp\9kk.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2523⤵
- Program crash
PID:2592
-
-