Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
Resource
win10v2004-20240802-en
General
-
Target
1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
-
Size
205KB
-
MD5
f4b030d8f06fcdeab6dbc5a8d90ea949
-
SHA1
c433438398b9dc5644dc5244255b592098069d8e
-
SHA256
1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96
-
SHA512
7de46b5fa25dac43206df4b468cb3773828e46d3c38945d0eae49735812ac8e4974d53093f59333cd7f4d689887bf105df0a53d0c76a80b131a77b0137de2702
-
SSDEEP
3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87Gw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle" 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\sshnas21.dll 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28 PID 1580 wrote to memory of 1232 1580 1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe"C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5309fc7d3bc53bb63ac42e359260ac740
SHA12064f80f811db79a33c4e51c10221454e30c74ae
SHA256ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa
SHA51277dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8
-
Filesize
168KB
MD55561492e551cda26b5fdf17b5faecb4e
SHA1ad0e6164209356188cf3b95a16054ca886833ce5
SHA2560cd32a6cc630577699fea8629e02d32508a5dafd93d5337ced72aefbf129fe7c
SHA5123c8bf9d10371e75b3ca308e97b70be246c3a60c99d99847e0472ed9c88b1fdc19108a306b3fa3cdd45bddbae2f9c5cdaad0bfa4d41903866588f35b78cabbb61