Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
Resource
win10v2004-20241007-en
General
-
Target
c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
-
Size
93KB
-
MD5
5cc3d2a90fe18118db199fd045246390
-
SHA1
79782f30e93dd1b0dca3737771bf78adb495f38c
-
SHA256
c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588
-
SHA512
2bb352a428723c6cc80cb9307a45c1c7dc1b367c8fa1a43ab04d90735f0376ab8839e6f93d78d330672705b4e49da20fb745371810b87bc2f7a77d7277091c16
-
SSDEEP
1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPRR:+Hx8YL02HamwFDoPv
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 Process not Found 1360 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2968 lsass.exe 2172 explorer.exe 1360 Process not Found 1360 Process not Found 1360 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe Token: SeDebugPrivilege 2968 lsass.exe Token: SeDebugPrivilege 1360 Process not Found -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2968 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe 30 PID 2464 wrote to memory of 2968 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe 30 PID 2464 wrote to memory of 2968 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe 30 PID 2464 wrote to memory of 2968 2464 c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe 30 PID 2968 wrote to memory of 2172 2968 lsass.exe 31 PID 2968 wrote to memory of 2172 2968 lsass.exe 31 PID 2968 wrote to memory of 2172 2968 lsass.exe 31 PID 2968 wrote to memory of 2172 2968 lsass.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe"C:\Users\Admin\AppData\Local\Temp\c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Suspicious behavior: MapViewOfSection
PID:2172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD55cc3d2a90fe18118db199fd045246390
SHA179782f30e93dd1b0dca3737771bf78adb495f38c
SHA256c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588
SHA5122bb352a428723c6cc80cb9307a45c1c7dc1b367c8fa1a43ab04d90735f0376ab8839e6f93d78d330672705b4e49da20fb745371810b87bc2f7a77d7277091c16