Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe
Resource
win10v2004-20241007-en
General
-
Target
48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe
-
Size
66KB
-
MD5
159bda9b84cd2b45639489c96e6053ce
-
SHA1
bb6191bfc4557fd418be6862c571abd8b2f40d76
-
SHA256
48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5
-
SHA512
2943beff2cb4ec98e2ba5327c8e055febfe81c79116faad5945538a68b3222fd319117b482ef5b0c5acbaad51fef5f4b5b2e052fdc163c768a9c562eec93b1d4
-
SSDEEP
1536:NAo0Tj2d6rnJwwvl4ulkP6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrGhVhoQ:NAoglOwvl4ulkP6vghzwYu7vih9GueIQ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2324 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2324 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2324 1660 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe 30 PID 1660 wrote to memory of 2324 1660 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe 30 PID 1660 wrote to memory of 2324 1660 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe 30 PID 1660 wrote to memory of 2324 1660 48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe"C:\Users\Admin\AppData\Local\Temp\48101c953714e34ff865adf62ecadd693f56012c4a2160219e3be0fcdc997fd5.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5eba41c7f8382ca8244482acde8771f29
SHA19ead0299644102631940ce34554e21584b098fe2
SHA256c2325210b39e793d8e0fe3acc0b0adb08702db749892ea24c22ce827ae2175f5
SHA5127e65708e2df5b95bcb4bb7668c74d033277ee3d090e9f01816ab76462cffd73d169d6ed89770c3f563deeca85757d6b6683d12c94a3cec675195d327492432c6