Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
Resource
win10v2004-20240802-en
General
-
Target
c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
-
Size
205KB
-
MD5
03391529051474aa9bddad0823cfed50
-
SHA1
cb4c154ace7a7b787a296f49f219d79e5b53a703
-
SHA256
c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8
-
SHA512
6ba1396e49adf0eabdf2f530b92c465e51e1fb01a4550ef37f2bad99a57bf2419837ba4fce7f1d4a94d0f33a99636bfe336d76e9f8d514a1a3c3dae46b943180
-
SSDEEP
3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87dw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle" c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\sshnas21.dll c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30 PID 2104 wrote to memory of 2764 2104 c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe"C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5309fc7d3bc53bb63ac42e359260ac740
SHA12064f80f811db79a33c4e51c10221454e30c74ae
SHA256ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa
SHA51277dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8
-
Filesize
168KB
MD50b62e0a8526991fad4b3fe5aceaedf1f
SHA119120b4fb5a27a6f332c56502dc2af7b429aa810
SHA25629bdb931756bc54b99f0c1dd2c1f602ac9531f43796210b0976506d137e44170
SHA512df974e8c21d329f88196e6ad0ae2953fa1e20ad9e36b2c8fe53f4130519ed63fbe2fc5e11646902293eb4fae5b5bb1248575d6203288cf3700d2fdadddaa6b0e