Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe
Resource
win10v2004-20241007-en
General
-
Target
f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe
-
Size
89KB
-
MD5
762e6a229c846620bbbb11fbb6f36290
-
SHA1
d7c1ec24f3cd7d04076efd2cd9c6feb1450ed6eb
-
SHA256
f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673
-
SHA512
1c9b3d44e32b01e58c6805f8fa0f0b13c2a9a8c8e073dd223c3a83a0f731966268a884977e4c139d89e4a81a9edec0b8677e2d9186e2b8de9388e58defbe9264
-
SSDEEP
1536:k9o65gQK3Zm+Mt9RV5O8oQ9cXFunGm6ManhFLnBqHan6owwosTk8vxA:k9o6fK2XqXQwhnHlqQo8Lvy
Malware Config
Signatures
-
Tinba family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1CBF96A9 = "C:\\Users\\Admin\\AppData\\Roaming\\1CBF96A9\\bin.exe" winver.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe 3048 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3048 winver.exe 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3048 2552 f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe 30 PID 2552 wrote to memory of 3048 2552 f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe 30 PID 2552 wrote to memory of 3048 2552 f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe 30 PID 2552 wrote to memory of 3048 2552 f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe 30 PID 2552 wrote to memory of 3048 2552 f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe 30 PID 3048 wrote to memory of 1256 3048 winver.exe 21 PID 3048 wrote to memory of 1128 3048 winver.exe 19 PID 3048 wrote to memory of 1204 3048 winver.exe 20 PID 3048 wrote to memory of 1256 3048 winver.exe 21 PID 3048 wrote to memory of 1092 3048 winver.exe 25 PID 3048 wrote to memory of 2552 3048 winver.exe 29
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe"C:\Users\Admin\AppData\Local\Temp\f6b61576fdaafb74827d76ef8a82d990b6b4c27bbb3c2a51d6a6506f39daf673N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3048
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1092