Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 08:53

General

  • Target

    c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe

  • Size

    38KB

  • MD5

    9579fa03a700fa7fa8308e9ed12d9be0

  • SHA1

    93685a9d84cef5613fa9bdd62d4f55631a4a79f0

  • SHA256

    c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8

  • SHA512

    c931e4dc3778455d09b7b551e066827cf8de2e1ec80cbc76af5e7226a4110068616d285502f4a7e65aa8f15dca2a399b9bdfb0554a4617a36f5200918c6e4d20

  • SSDEEP

    768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOZ:NWQa2TLEmITcoQxfllfmS1cOZ

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe
    "C:\Users\Admin\AppData\Local\Temp\c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\sc.exe
      C:\Windows\system32\sc.exe stop wscsvc
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2376
    • C:\Windows\SysWOW64\1230\smss.exe
      C:\Windows\system32\1230\smss.exe -d
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe stop wscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\1230\smss.exe

    Filesize

    38KB

    MD5

    a1ebe1dbdfd419417148ae81a6dae46c

    SHA1

    3e9b2e99cabf52aa49dab4605596a4a79097b7ea

    SHA256

    4bab5247519a0f67062abc4a35dd1b4aad838f2ed30164c472127abe8445fdc8

    SHA512

    03e1263fd9ec3fb41b10e6272f2ebf6782f0a9590cfa5db20c24f3b8dd870ecb73ea5ce400297beb6a35597a563cc1e55b0a5936d460c7c05985a1734001ee31

  • memory/1744-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1744-12-0x0000000000270000-0x0000000000292000-memory.dmp

    Filesize

    136KB

  • memory/1744-11-0x0000000000270000-0x0000000000292000-memory.dmp

    Filesize

    136KB

  • memory/1744-18-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2152-20-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB