Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 08:53
Behavioral task
behavioral1
Sample
c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe
Resource
win7-20240729-en
General
-
Target
c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe
-
Size
38KB
-
MD5
9579fa03a700fa7fa8308e9ed12d9be0
-
SHA1
93685a9d84cef5613fa9bdd62d4f55631a4a79f0
-
SHA256
c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8
-
SHA512
c931e4dc3778455d09b7b551e066827cf8de2e1ec80cbc76af5e7226a4110068616d285502f4a7e65aa8f15dca2a399b9bdfb0554a4617a36f5200918c6e4d20
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOZ:NWQa2TLEmITcoQxfllfmS1cOZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2152 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral1/memory/1744-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x00070000000186d9-4.dat upx behavioral1/memory/2152-20-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1744-18-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2376 sc.exe 1796 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 2152 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2376 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 29 PID 1744 wrote to memory of 2376 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 29 PID 1744 wrote to memory of 2376 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 29 PID 1744 wrote to memory of 2376 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 29 PID 1744 wrote to memory of 2152 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 31 PID 1744 wrote to memory of 2152 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 31 PID 1744 wrote to memory of 2152 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 31 PID 1744 wrote to memory of 2152 1744 c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe 31 PID 2152 wrote to memory of 1796 2152 smss.exe 32 PID 2152 wrote to memory of 1796 2152 smss.exe 32 PID 2152 wrote to memory of 1796 2152 smss.exe 32 PID 2152 wrote to memory of 1796 2152 smss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe"C:\Users\Admin\AppData\Local\Temp\c79a2fd88cdeb20e40b6a4714140967a699359c165a5e17adca4e7d49efeb2a8N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5a1ebe1dbdfd419417148ae81a6dae46c
SHA13e9b2e99cabf52aa49dab4605596a4a79097b7ea
SHA2564bab5247519a0f67062abc4a35dd1b4aad838f2ed30164c472127abe8445fdc8
SHA51203e1263fd9ec3fb41b10e6272f2ebf6782f0a9590cfa5db20c24f3b8dd870ecb73ea5ce400297beb6a35597a563cc1e55b0a5936d460c7c05985a1734001ee31