Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 00:26
Static task
static1
Behavioral task
behavioral1
Sample
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Resource
win10v2004-20241007-en
General
-
Target
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
-
Size
3.5MB
-
MD5
9cf6a80022f22bcc2994fda5f6020620
-
SHA1
0f9af45d5db698b43881d4020371255502cca998
-
SHA256
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3
-
SHA512
f9e0ce84dc9b910382d252fb2725d76f549fad7dfe64e4ea30c775d9c56417edee00b790c918f9a3ec0dc76c0091af93e051360b007a916b76adceee86252391
-
SSDEEP
49152:9RthomUdQ8h7D9S54+upeapeApIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzS:GDOLv/LK3BDhtvS0Hpe4zbpaAKL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2744 sysx32.exe 2748 _8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysx32.exe 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\StopOpen.exe.tmp sysx32.exe File opened for modification C:\Program Files\StopOpen.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2744 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 30 PID 2840 wrote to memory of 2744 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 30 PID 2840 wrote to memory of 2744 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 30 PID 2840 wrote to memory of 2744 2840 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe"C:\Users\Admin\AppData\Local\Temp\8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exeC:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe2⤵
- Executes dropped EXE
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Filesize3.5MB
MD5fb5e34a2ea241d01c85eca0665a40e5e
SHA1afbe0ae677d65a01926ab51bb9934295d57588c0
SHA256149f53bc41ce766b0a74af98bbd54e07183d74ec032ff79a75cf78d6a4d8ef17
SHA512023d8551dd11ffc456d97e8af241927ebaf56dec2ad14e8617075e86da6f3ef622d53770bd3ce3d7b8547474ac291268ccd47d592355140ef7c24c267ea0d978
-
Filesize
3.5MB
MD59cf6a80022f22bcc2994fda5f6020620
SHA10f9af45d5db698b43881d4020371255502cca998
SHA2568dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3
SHA512f9e0ce84dc9b910382d252fb2725d76f549fad7dfe64e4ea30c775d9c56417edee00b790c918f9a3ec0dc76c0091af93e051360b007a916b76adceee86252391