Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 20:41
Behavioral task
behavioral1
Sample
3B4EE472D9C872BA1D96B7A676E809BA.exe
Resource
win7-20240903-en
General
-
Target
3B4EE472D9C872BA1D96B7A676E809BA.exe
-
Size
553KB
-
MD5
3b4ee472d9c872ba1d96b7a676e809ba
-
SHA1
33186a216fe8a37a993f42477b8f813a56ba5f09
-
SHA256
a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
-
SHA512
22d93c0656d9ebb8f0e33497e2d02ecf8a9f160fff07620f0dfbd022b8449b99ae3d5dccb3d2f65f555d99415489bfcc4856eba3d87c2158c68c3922216e4985
-
SSDEEP
12288:iLV6BtpmkjDwb1bL/mZyysVSX/GFFcEvz20Q3CE+A2whXXAo2RB:AApfy16yDSOzFvz20A7lXqB
Malware Config
Signatures
-
Nanocore family
-
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe" 3B4EE472D9C872BA1D96B7A676E809BA.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3B4EE472D9C872BA1D96B7A676E809BA.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IMAP Monitor\imapmon.exe 3B4EE472D9C872BA1D96B7A676E809BA.exe File opened for modification C:\Program Files (x86)\IMAP Monitor\imapmon.exe 3B4EE472D9C872BA1D96B7A676E809BA.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3B4EE472D9C872BA1D96B7A676E809BA.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe 800 3B4EE472D9C872BA1D96B7A676E809BA.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 800 3B4EE472D9C872BA1D96B7A676E809BA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 800 3B4EE472D9C872BA1D96B7A676E809BA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3B4EE472D9C872BA1D96B7A676E809BA.exe"C:\Users\Admin\AppData\Local\Temp\3B4EE472D9C872BA1D96B7A676E809BA.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:800