Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-10-12...3n.exe

windows7-x64

7

2024-10-12...3n.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe

  • Size

    388KB

  • MD5

    7460a359bf50d12d26232d79412a3eb7

  • SHA1

    59ef372a1a44bea53474700ea1479d36e668b9a8

  • SHA256

    5c946780a5cab532e7c437b8b555456b319736e40b524446ce350efd29790f89

  • SHA512

    1b1fcf81f063f66e83fa699de374139c5e220d61062a337adb0280e901279c1278458102c38ebe04e9bc147e9a55cd87086dc31dd08da03d33cf0fb06c604b31

  • SSDEEP

    6144:/aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh0kdH371oHVCvvm:/uTs1gBpQL5kmh0671o1CG

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\users\Public\conlhost.exe
      "C:\users\Public\conlhost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\users\Public\del.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1300
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4692
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\FILES_BACK.txt
    Filesize

    177B

    MD5

    fc605d0a0029f229d0ed645293ece316

    SHA1

    9ee4a83cd232b15790107ebbb98b4b515839f219

    SHA256

    a2a678d59020d212a1ec32810466b9a2bc4d17fcfff8edd6c07c5aa8ef15b25f

    SHA512

    2e43a1bbb43f9371cfcdcf550a205bb123a2facf17cbdd180591eb7a7c3ee75b5aae0a59654898814e4dee9d7bdf4ff3f6b50a37f0fbd5252865a23655b261e1

    Download Submit

  • C:\Users\Public\conlhost.exe
    Filesize

    388KB

    MD5

    27d33f614c617e7a75012dba6a7a7c62

    SHA1

    1dd7b0d4815e29565fa347ff80dd6b1f0700da06

    SHA256

    4210c407042bcc8dd97f1b437f2ff5119b8e1b19cf58029b82dcef92cbd50ff2

    SHA512

    76c2acd2c72114d14a813b6b8f6bdb96b3778ca196d10e4b599deb5fc25909ba21b2ebf09882ea9e877daca998b45bad594a1fe0c1fd6f9eb450208785cc926c

    Download Submit

  • C:\users\Public\del.bat
    Filesize

    115B

    MD5

    fe2a06d784fe2f25235373e73049b386

    SHA1

    b9a61457a8119dd9ebb449a3f114513a361d0eb2

    SHA256

    2ae1e4904dbe4f97f20a07ad3b44961a9beae8c92525f3da24e16fa662519058

    SHA512

    3f64d9f8ead2916e02a3db9baf345397972565bc4616968996f9c04515cd90b5550f09a66bf5b1928be6874dae1db0ba632e23e2ae8c51ffefadd9bfffce1f06

    Download Submit