Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 04:52

General

  • Target

    Uninstall.exe

  • Size

    46KB

  • MD5

    b51e596c57f6d919c3c5df362c651e96

  • SHA1

    c396b68d6862e8e82fdd6cbf2ac06777e707b60b

  • SHA256

    3523d26040cf6c96b5642f64ed273fed129e80114b5c17aa98b647f088ad24c7

  • SHA512

    58173c86dc1469015569a2fb49b0e77e625e454f28d7bd50a03f2cf8160b3052bedcbdc1f9ffcbb90220bdd5da4797be798b8b82ce929bb89d6609dd5f95ca08

  • SSDEEP

    768:HSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5VtD3z9S6Qa/g0kDi7Woln:yu4EQalMK/ewGnh0mJ1D3Fxau7Zln

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsy823C.tmp\System.dll

    Filesize

    10KB

    MD5

    82f7926fd7d12e3eb8ed7b5232bcf956

    SHA1

    6065fc921b742cc86c77ce2533fc1d17359eb45e

    SHA256

    604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984

    SHA512

    b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7

  • \Users\Admin\AppData\Local\Temp\nsy823C.tmp\nsDialogs.dll

    Filesize

    8KB

    MD5

    f42b19bd20c82eabcfe14273499e7664

    SHA1

    99310fe91a2e2fbe720761b5625e1f83afeee0db

    SHA256

    c99f30f5e2dfd948b7da2219bc5a0a73836a70e2486272b42c3ca45710b0316a

    SHA512

    c6867ee68b3099a9b03aba7367ed6e55576f874eccab71fbebbc9c3cb01f20e616615e8080c2a379b7e7da1abe6cd776f862f8c9ad4dce38d2fa79b48fa38e49

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    46KB

    MD5

    b51e596c57f6d919c3c5df362c651e96

    SHA1

    c396b68d6862e8e82fdd6cbf2ac06777e707b60b

    SHA256

    3523d26040cf6c96b5642f64ed273fed129e80114b5c17aa98b647f088ad24c7

    SHA512

    58173c86dc1469015569a2fb49b0e77e625e454f28d7bd50a03f2cf8160b3052bedcbdc1f9ffcbb90220bdd5da4797be798b8b82ce929bb89d6609dd5f95ca08