Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe
Resource
win10v2004-20240802-en
General
-
Target
68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe
-
Size
65KB
-
MD5
210ff1e2bdc12f58f5b5f25c671c5c00
-
SHA1
13de23ccbe5a36854b145297287360b652053113
-
SHA256
68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931b
-
SHA512
ed7002d09e034ae9b07b9acded7be1ab20afce1e4c72beec4f63b69a5b8122c8aa0969696060141e70e8543b01767320328cf70a15b4a2386f19b5a32be46b48
-
SSDEEP
1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAjU+EmkcU+uZd7ZY8c:lAo1lOwvlKlXBP6vghzwYu7vih9GueIL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2028 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2028 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2028 2396 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe 30 PID 2396 wrote to memory of 2028 2396 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe 30 PID 2396 wrote to memory of 2028 2396 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe 30 PID 2396 wrote to memory of 2028 2396 68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe"C:\Users\Admin\AppData\Local\Temp\68a5711a0a9034dbd82ca6da70c3f1700763bf14ca3ae0d88a730cc3e4db931bN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5b1a7fac835840e66a0e1ad90789c02bc
SHA1978d6bfe4e4c3a2b097fa3b9c4a6a10f6b2bb7ec
SHA256f281acc606f3153729c340c046eabaa9443e770f9b7cbf53e86b6d9dcc771388
SHA512224d70448c0705e5084a4d47a559deacb1c41843ab0775d057e0501b4dd9e0ee9ebeb68b7b7c3aef1a6e49f6f1918f0d7cd3697d783b4e76c66965be2d7d999e