Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 13:50
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
1.6MB
-
MD5
3d6cf2933284333f5d945c062bffcd2b
-
SHA1
deb8e888fcea2139a0f91a7a87386c086b71b134
-
SHA256
b3058d02ea8c370311e612bd4916e05c8c909b110d3f2c588073c59b2105dba5
-
SHA512
2fc2aa55e05740eba7c8de7c686071a6d6f47a0997d722408c902dce860948e5fc5cbf4e94b788c22120336b00adec58582b4c6f5d6439f6b54da77839351cb0
-
SSDEEP
49152:Zc2/wgEeoVOwjL4aCd/JajeU8PrbS6rgSvkW:CgEdIi4p/J60d
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2640-0-0x0000000000400000-0x0000000000669000-memory.dmp upx behavioral1/memory/2640-18-0x0000000000400000-0x0000000000669000-memory.dmp upx behavioral1/memory/2640-21-0x0000000000400000-0x0000000000669000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2852 2640 file.exe 32 PID 2640 wrote to memory of 2852 2640 file.exe 32 PID 2640 wrote to memory of 2852 2640 file.exe 32 PID 2640 wrote to memory of 2852 2640 file.exe 32 PID 2852 wrote to memory of 3008 2852 cmd.exe 34 PID 2852 wrote to memory of 3008 2852 cmd.exe 34 PID 2852 wrote to memory of 3008 2852 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs)>>C:\Users\Admin\AppData\Local\Temp\kms.log2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\cscript.execscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs3⤵PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690B
MD525af4adc5167282942668d2268bbf95f
SHA15d6a33f8f0203facfa5ed1d5b5792a1b0bab9499
SHA25659a149cd5afd7edebe7e3b2fa75394cf19b7f565f0a074fcccf3a1b2f2dcfad1
SHA5128262150c8d7685747dbc49ab6b79f42519123074ecf93043dbef3a717d144cea8a473064a478eedac646bd8338e1cd0887d3c904ffc9c9f3bc09b1de3661f99d
-
Filesize
2KB
MD578d143bc6c1968d0a228b29e823d051e
SHA1a11dfa069c0b49487f55b32e8e9e89fad3796b5b
SHA256dca511dfdbaadbad34a89f0fa4c86de1a8a37fedc326f7bc17a746d44b0fbaff
SHA512af82ab5a8855576f0f29a681b07befd456ebca7e381e8c902e9151ceabf6c59035d02ead07fc98b2e601ea11746887664acee73f39ee2c029685289f9c519068
-
Filesize
35B
MD5e9bfae6afd048372cf6695a66262686d
SHA1fc18c27beff15ba2e9ef2ff12bf2d439bfb8a2ed
SHA25611332210a88e540bae3535036c386159f68eb495e10a2cd308718decd0fc211a
SHA5123472b837cf7af709f250a42777dde1c9730e9844af32862040d703accd17ce890a7891028a5ad9b040ca00e9bc755b382a458ab4b7cf35c623b615b861ebb748