Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 13:50

General

  • Target

    file.exe

  • Size

    1.6MB

  • MD5

    3d6cf2933284333f5d945c062bffcd2b

  • SHA1

    deb8e888fcea2139a0f91a7a87386c086b71b134

  • SHA256

    b3058d02ea8c370311e612bd4916e05c8c909b110d3f2c588073c59b2105dba5

  • SHA512

    2fc2aa55e05740eba7c8de7c686071a6d6f47a0997d722408c902dce860948e5fc5cbf4e94b788c22120336b00adec58582b4c6f5d6439f6b54da77839351cb0

  • SSDEEP

    49152:Zc2/wgEeoVOwjL4aCd/JajeU8PrbS6rgSvkW:CgEdIi4p/J60d

Score
5/10

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs)>>C:\Users\Admin\AppData\Local\Temp\kms.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\system32\cscript.exe
        cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs
        3⤵
          PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\LIC_SWITCH.log

      Filesize

      690B

      MD5

      25af4adc5167282942668d2268bbf95f

      SHA1

      5d6a33f8f0203facfa5ed1d5b5792a1b0bab9499

      SHA256

      59a149cd5afd7edebe7e3b2fa75394cf19b7f565f0a074fcccf3a1b2f2dcfad1

      SHA512

      8262150c8d7685747dbc49ab6b79f42519123074ecf93043dbef3a717d144cea8a473064a478eedac646bd8338e1cd0887d3c904ffc9c9f3bc09b1de3661f99d

    • C:\Users\Admin\AppData\Local\Temp\PID8.vbs

      Filesize

      2KB

      MD5

      78d143bc6c1968d0a228b29e823d051e

      SHA1

      a11dfa069c0b49487f55b32e8e9e89fad3796b5b

      SHA256

      dca511dfdbaadbad34a89f0fa4c86de1a8a37fedc326f7bc17a746d44b0fbaff

      SHA512

      af82ab5a8855576f0f29a681b07befd456ebca7e381e8c902e9151ceabf6c59035d02ead07fc98b2e601ea11746887664acee73f39ee2c029685289f9c519068

    • C:\Users\Admin\AppData\Local\Temp\kms.log

      Filesize

      35B

      MD5

      e9bfae6afd048372cf6695a66262686d

      SHA1

      fc18c27beff15ba2e9ef2ff12bf2d439bfb8a2ed

      SHA256

      11332210a88e540bae3535036c386159f68eb495e10a2cd308718decd0fc211a

      SHA512

      3472b837cf7af709f250a42777dde1c9730e9844af32862040d703accd17ce890a7891028a5ad9b040ca00e9bc755b382a458ab4b7cf35c623b615b861ebb748

    • memory/2640-0-0x0000000000400000-0x0000000000669000-memory.dmp

      Filesize

      2.4MB

    • memory/2640-18-0x0000000000400000-0x0000000000669000-memory.dmp

      Filesize

      2.4MB

    • memory/2640-21-0x0000000000400000-0x0000000000669000-memory.dmp

      Filesize

      2.4MB