Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
taxcalc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
taxcalc.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240802-en
General
-
Target
taxcalc.exe
-
Size
2.1MB
-
MD5
224dacf13fdc6208c259e80b60930bd9
-
SHA1
eef52ca52d0f4f9a25571109af2338c7a5cbfec5
-
SHA256
0daca8eedcc0dec62533adfe8f223d7c32f62ab61766916271af392379eae4f9
-
SHA512
a568732cb75b665603517f48034bf7fd2c658360809325c873454f2597d8981c143a0aa7adc74e658cfc6e230eeeae63bc8d186fa339b591de16838a5c3b356e
-
SSDEEP
49152:wCZN2Ev2HSNchehklLKsWuGtTMx5UMt6cd3:iscDmsWVw5UMt/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2724 setup.exe -
Loads dropped DLL 4 IoCs
pid Process 2668 taxcalc.exe 2724 setup.exe 2724 setup.exe 2724 setup.exe -
resource yara_rule behavioral1/files/0x000800000001926c-3.dat upx behavioral1/memory/2668-5-0x0000000003210000-0x000000000324A000-memory.dmp upx behavioral1/memory/2724-17-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taxcalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2724 setup.exe 2724 setup.exe 2724 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30 PID 2668 wrote to memory of 2724 2668 taxcalc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\taxcalc.exe"C:\Users\Admin\AppData\Local\Temp\taxcalc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD56fcf034db68409a4b9086c8c7b6e41ec
SHA1899c5982391f7d55408db1813672e85a47f87bd8
SHA256b12f0be5b11504774819052cc1f5c381ee0b073fe00832faa9bcadff354f8de7
SHA5125e708dfa0cae9bfefbb576dccbd5e36d006b9c50528b7c3f591f852614d1530b69ee89068bd17b612b9abbe2568c01a5191d9a13af28d4d5527c66487d90690c