Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 18:32
Behavioral task
behavioral1
Sample
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
Resource
win7-20240903-en
General
-
Target
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
-
Size
578KB
-
MD5
b52088e450ef03ff18b089f2638e54a0
-
SHA1
98c65f8876cd9c0065cf8ca2d0305d16d265e4ea
-
SHA256
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610
-
SHA512
43312e853b0c6c721ec0bb7aa5ec4a6c3dbf1506a4e413209e4828bf30e23f3ba618dd27d94bcff52cc2aa33f933004e5b4ce6bd174961f6c95cfa5225aff53f
-
SSDEEP
6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcBbmKm:XDDGdDbEh/a3tKj
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools vxdini16.exe -
Executes dropped EXE 1 IoCs
pid Process 2944 vxdini16.exe -
Loads dropped DLL 2 IoCs
pid Process 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vxdini16.exe 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe File created C:\Windows\SysWOW64\vxdini16.exe vxdini16.exe File created C:\Windows\SysWOW64\vxdini16.exe 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe -
resource yara_rule behavioral1/memory/2128-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/files/0x0007000000012118-6.dat upx behavioral1/memory/2944-14-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2128-15-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2944-17-0x0000000000400000-0x0000000000448000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2944 vxdini16.exe 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe 2944 vxdini16.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2944 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 30 PID 2128 wrote to memory of 2944 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 30 PID 2128 wrote to memory of 2944 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 30 PID 2128 wrote to memory of 2944 2128 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"1⤵
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\vxdini16.exeC:\Windows\system32\vxdini16.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD51b122ad1d6ec5945bdaa8eb0e150db23
SHA1286626f846173a94357bf7362e920db2154c6c99
SHA25654f5274317090538d447fb2c6fc82a8183d3851d8d8bf8404b42a5da349215f5
SHA512ed9a631841dda5221ef0a8005219b6d58e0bd2a3e41cb7cb37bf3a0cdcb83939ce9fb0a3af1dd8e7c16cf06187786c2f1f123ff9d7e201d16e39cce8d05727e0