Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
Resource
win10v2004-20240802-en
General
-
Target
37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
-
Size
4.2MB
-
MD5
7838d252ba4b3d75f9b202f325cdb830
-
SHA1
de7022425617f80cfa0fd9922dfab3a9cfb17735
-
SHA256
37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7c
-
SHA512
aedcdd7327155d25799b42f29bca9632f186470dc5e51d3893b80770656078808d364060b6f091bbfba6b05709b3cf25c3a221278051799403fee95423a97f2b
-
SSDEEP
98304:Cmhd1UryeqmSVrXfBVVLUjH5oxFbxhVLUjH5oxFbx:ClKRVTXVUjZEdhVUjZEd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2500 E447.tmp -
Executes dropped EXE 1 IoCs
pid Process 2500 E447.tmp -
Loads dropped DLL 2 IoCs
pid Process 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2500 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 31 PID 1916 wrote to memory of 2500 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 31 PID 1916 wrote to memory of 2500 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 31 PID 1916 wrote to memory of 2500 1916 37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe"C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\E447.tmp"C:\Users\Admin\AppData\Local\Temp\E447.tmp" --splashC:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 582DF4FFE06C7B9BBEFEF5B06BD589F13D90838F589269ED587CDDED0D2832DAFC9DA1D63BAA526AC5E002B78EC9FC4865CCC283AF14EE86FCC304C343CB5C622⤵
- Deletes itself
- Executes dropped EXE
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5016a0faf76b8df240fec1e2a1fcaae77
SHA12eab08df1e3186f340192558476cb2aae2b9fa3f
SHA2560978413d936d424c3bda3d2826b8aa6b88634258e80fa2b6f1d581b6ef636b44
SHA5127c556374d844b5de96710e77274415bb40ea988896375f3d62b44ce5ce8a89baabec4fbe34124ade06d6cd2fa665fa1a53b06c24b16e8c7a20ca4ac36d6cd08a