Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe
Resource
win10v2004-20241007-en
General
-
Target
476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe
-
Size
1.2MB
-
MD5
85c166278e70bbe6348c938cdb252040
-
SHA1
2d4293b681b195bc4e678f33983046d811e99a9b
-
SHA256
476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702
-
SHA512
21c944f8bc8f23514b27d469a490142406d8ebbd506464fb25e6240ec3469d823e5bc59d5c59aa0c11ca85197b399d3d73703a6fa63028f511993eab1ca4cc43
-
SSDEEP
24576:W4lavt0LkLL9IMixoEgeapNBk23IAg8q9MmCS:hkwkn9IMHeapP9paPCS
Malware Config
Signatures
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2776-8-0x0000000001100000-0x0000000001500000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 2352 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2352 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 86 PID 2776 wrote to memory of 2352 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 86 PID 2776 wrote to memory of 2352 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 86 PID 2776 wrote to memory of 2352 2776 476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe"C:\Users\Admin\AppData\Local\Temp\476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\476b432afd2c5531a862144c69d73ba28532fbe8e15b4b89c1f705a98545b702N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD53a897a80c81f40269c230914fa18deeb
SHA1833d418e09ac8b49207d250a133900eb0ac62ee8
SHA25636762a4c7aa4c3c7df720e6888d06f27e5329796511a367f29cde4e91b2f0c00
SHA5123e8025bf530aef14020a458698399e9aef8d8cf380b588d15b68434206bd217e9b9b3af625b7abd06edf8be853f0d26a249d82e71fd5a67ca627a7dfb9543385