Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Resource
win10v2004-20240802-en
General
-
Target
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
-
Size
2.7MB
-
MD5
6803679e27fec0fbbc90ad4d1c847b60
-
SHA1
4bcc7562edd3119175cbdbc34ab7f9b0635fcf3e
-
SHA256
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c
-
SHA512
64c2dc052f662869021192199cccc61919a1baaa57fd08b4a25ac7e181f1f73b64ffc0fb38e468b7567f8e0d88194f080b2fc766b96a1cb219e4f9d7167e49bd
-
SSDEEP
49152:9ayT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:bTE66yXZ02DwUHoazRofxIhELjf/IVgs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2952 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2964 Gray Harrie.exe -
Loads dropped DLL 6 IoCs
pid Process 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2288 2964 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gray Harrie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2952 cmd.exe 2660 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2660 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 2964 Gray Harrie.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Token: SeIncBasePriorityPrivilege 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Token: SeDebugPrivilege 2964 Gray Harrie.exe Token: SeIncBasePriorityPrivilege 2964 Gray Harrie.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2964 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 32 PID 1960 wrote to memory of 2964 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 32 PID 1960 wrote to memory of 2964 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 32 PID 1960 wrote to memory of 2964 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 32 PID 1960 wrote to memory of 2952 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 33 PID 1960 wrote to memory of 2952 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 33 PID 1960 wrote to memory of 2952 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 33 PID 1960 wrote to memory of 2952 1960 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 33 PID 2952 wrote to memory of 2660 2952 cmd.exe 35 PID 2952 wrote to memory of 2660 2952 cmd.exe 35 PID 2952 wrote to memory of 2660 2952 cmd.exe 35 PID 2952 wrote to memory of 2660 2952 cmd.exe 35 PID 2964 wrote to memory of 2288 2964 Gray Harrie.exe 36 PID 2964 wrote to memory of 2288 2964 Gray Harrie.exe 36 PID 2964 wrote to memory of 2288 2964 Gray Harrie.exe 36 PID 2964 wrote to memory of 2288 2964 Gray Harrie.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe"C:\Users\Admin\AppData\Local\Temp\Gray Harrie.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 8003⤵
- Loads dropped DLL
- Program crash
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD581b03ab00083414362440a7bb63246a5
SHA13cb1b962b7a9dad130acc60c6cf8b89c88955cea
SHA2563e61705c4463b0c5d558fff9971adb7f8a38631133d19ddac7d523222b4c7f7d
SHA512992aecf6aa389adec74b007fb8c4e20471a2a08bc342d2304d780c85a3daff28d85ff8424dc30cf7379c7112905d58443b499b86725472caf2f06978b0d1e2d7
-
Filesize
2.7MB
MD5ea4dc5edd3f289be74e804c48df1ad8e
SHA1d5a4bb084e8f0787e51f51d93fd2e246cbf21b3a
SHA25604b1f57d6d1983833aaf25f17ae5989f5ad7b9fbf22648ae87afead44f5b0b55
SHA512503af7dddcdd049a3166f2878ce2c0f252126beef855f3fb70c965d9908187a0b77e2ee9c11935be54e55401fe2619fc1a3d702e85dcce8fc79f35a5c3fe7f69