Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 04:08
Static task
static1
Behavioral task
behavioral1
Sample
9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe
Resource
win10v2004-20240802-en
General
-
Target
9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe
-
Size
1.1MB
-
MD5
bb2afeacb67f45c13256c9cc582ae859
-
SHA1
082bd643036191d1e0682addd1527b27d6bb7ddb
-
SHA256
9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68
-
SHA512
aefdb946a2ab4a41267b9c80e731822e2fe2b53a3e70aa78c75195bcddb2e67bd8c55c02e4d753f50ed5d42a773a50755bd60406aea0e51f939214d3d27fbe13
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzML
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1964 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe 30 PID 1760 wrote to memory of 1964 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe 30 PID 1760 wrote to memory of 1964 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe 30 PID 1760 wrote to memory of 1964 1760 9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe"C:\Users\Admin\AppData\Local\Temp\9fff35475830cd1cf07f9211883e1d945a7694b9ac05f2f479874a9d79c98e68.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD56c57b07bb8b01abe40b0d0572c6e0f80
SHA136306c8a2ea19103b9a0758652f7eda568715b86
SHA256747c559fb6fadc6cbea578640de8d4fecb5b503553e8d789ab4783a90cccbc45
SHA51282e7c12d106c56592f294e67aa36c2e87152026ff985c3eb54bdf727ec12e1db3c33e64a15fa953590cb63dc2c628312897e39e27a7848ebe795a212079dd1d1