Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10/10/2024, 00:09
General
-
Target
664a737c4401f5c45fe541088551335214e71bdd5fbbd887b1c6ccdde443fc34N.exe
-
Size
938KB
-
MD5
451a16a85434ed59c9000c5e8e8b1c50
-
SHA1
b85cb2a47bea248cea8b6969c7f4a06ad4405352
-
SHA256
664a737c4401f5c45fe541088551335214e71bdd5fbbd887b1c6ccdde443fc34
-
SHA512
e24b8adde9c33fab57fede1cccee3c9022f5e9a9e637f8cb990eb95e1fcc29c631d021939afc6513550fa47c88d3f44713f98f5bbc91acba6837357a0eafc793
-
SSDEEP
24576:v6Zv2ivhBVnFys7xP86LkRCwPYfuukvDtiflQRg:vE2ivhQs7dLkRumsH
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 1 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\664a737c4401f5c45fe541088551335214e71bdd5fbbd887b1c6ccdde443fc34N.exe"C:\Users\Admin\AppData\Local\Temp\664a737c4401f5c45fe541088551335214e71bdd5fbbd887b1c6ccdde443fc34N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
942KB
MD511646586ac50311f265cd58ec2d7afcc
SHA1e3e48a49c64cb9d6c464364ef42d492da6c4a501
SHA256c52ba1a5c3af2df5bf2e960904127903c83d7853f5a3c2859f423d3b0e8fac6d
SHA512491ef83dcd35ec1e373edc9b2b4e212e11e95e0d89243b5cbf387a945685396d9105535b7e99a61468a2266a508411ff9390a0a632a3d2f786f1189ebeddef0b
-
Filesize
943KB
MD58e06b5e1f43636263887760debde90ff
SHA1c711eb66c5fee39943a160d1f56ceb457d3c4c8b
SHA2569d7f82f6f139174f2d84754d54dac966ab47b938c215f4046ae186a021b5a2f7
SHA5129056f193643e46cd7a9253a42794a7f9e52400a539417f1f0dd055ab2f6e60189275bbcb43287087dedb8099969e4ea59eed9926939186dd0aaa20c0d6f1f2ed
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB