Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 15:17
Behavioral task
behavioral1
Sample
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
Resource
win7-20240704-en
General
-
Target
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
-
Size
38KB
-
MD5
f149768634bc97725c0bcef7b4976f40
-
SHA1
ad9193c31cbe5114429130b20e2c016ebd93a852
-
SHA256
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6d
-
SHA512
5bead3cbdde9179107e8bc0a58f1ac40bca508d9f13ab0eb58d84729d262324cbe8ef37dc501bb3be7f12193328e6133391f712d7a98a27a3b44a83f33eafab9
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cE4:NWQa2TLEmITcoQxfllfmS1c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2236 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral1/memory/1864-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x00070000000173c8-4.dat upx behavioral1/memory/2236-13-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1864-19-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2236-21-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2136 sc.exe 840 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 2236 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2136 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 30 PID 1864 wrote to memory of 2136 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 30 PID 1864 wrote to memory of 2136 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 30 PID 1864 wrote to memory of 2136 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 30 PID 1864 wrote to memory of 2236 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 32 PID 1864 wrote to memory of 2236 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 32 PID 1864 wrote to memory of 2236 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 32 PID 1864 wrote to memory of 2236 1864 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 32 PID 2236 wrote to memory of 840 2236 smss.exe 33 PID 2236 wrote to memory of 840 2236 smss.exe 33 PID 2236 wrote to memory of 840 2236 smss.exe 33 PID 2236 wrote to memory of 840 2236 smss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe"C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD551438c92fa6c3cc78e8965b01a6ffa36
SHA1b0b25d71cbc23894560266da5b0a1031ca307125
SHA25600fe186f37ca6cb660a77f26204123a3072a3d4ce69cf519d81600ccb4b273e3
SHA512d3babac8a69fc35ca7cd8c2f7a76ca586b5996bd8fafe0debc7abdaf19ec512c8faf183a3c3b0d730288fea5097c0c8ac7980392267a30c9fcf81be1bb44a916