Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 15:17
Behavioral task
behavioral1
Sample
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
Resource
win7-20240704-en
General
-
Target
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
-
Size
38KB
-
MD5
f149768634bc97725c0bcef7b4976f40
-
SHA1
ad9193c31cbe5114429130b20e2c016ebd93a852
-
SHA256
32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6d
-
SHA512
5bead3cbdde9179107e8bc0a58f1ac40bca508d9f13ab0eb58d84729d262324cbe8ef37dc501bb3be7f12193328e6133391f712d7a98a27a3b44a83f33eafab9
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cE4:NWQa2TLEmITcoQxfllfmS1c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4808 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral2/memory/2564-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x00070000000236d2-5.dat upx behavioral2/memory/2564-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4808-13-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2032 sc.exe 2412 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 4808 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2032 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 89 PID 2564 wrote to memory of 2032 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 89 PID 2564 wrote to memory of 2032 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 89 PID 2564 wrote to memory of 4808 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 91 PID 2564 wrote to memory of 4808 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 91 PID 2564 wrote to memory of 4808 2564 32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe 91 PID 4808 wrote to memory of 2412 4808 smss.exe 92 PID 4808 wrote to memory of 2412 4808 smss.exe 92 PID 4808 wrote to memory of 2412 4808 smss.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe"C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:81⤵PID:64
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD52d9fe45e88a0bb2ab2056bf0cc24ce11
SHA12c32f811899e5497f9e02aa4fce3de1c0b02c189
SHA256724d1340c3b7e4d50dfb320eaefcee0d9ba34827ea721af5087de7744707d126
SHA51253b320fd6a7de0797dc237826ba19d5a61d1630a226b69b10a6c4df16f0448da3f8b7441eb02d08c38ea8661550fa717927bafe669017ca14657ad34ec970604