Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/12/2024, 20:46
Static task
static1
Behavioral task
behavioral1
Sample
53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe
Resource
win7-20241010-en
General
-
Target
53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe
-
Size
2.2MB
-
MD5
ba353539a8f310d60005f004fb94e24f
-
SHA1
ca7006f2345678b15cdaa3fd0e70ec6d05862930
-
SHA256
53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03
-
SHA512
1e1e14b2f00253cb3df5dbe134240d9974992911b9494a620944c9d8036dcf4da14acace197524ccd13826a097c2ad5fe6f441bb46cbaa860b1512279401442a
-
SSDEEP
24576:5Mq5HYOYUAm1yHBTjstd5nr6rn9VCZvlB1DfA+D0EdPrxPkMN0V9khzb+xHBmN+B:P5DTVYBTKYn9VuvlDjZdhN0T0zbmENn
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acoofgeqa = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ajhuxiadvy\\Acoofgeqa.exe\"" 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2464 set thread context of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3116 powershell.exe 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 3440 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe Token: SeDebugPrivilege 3116 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2464 wrote to memory of 3116 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 31 PID 2464 wrote to memory of 3116 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 31 PID 2464 wrote to memory of 3116 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 31 PID 2464 wrote to memory of 3116 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 31 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33 PID 2464 wrote to memory of 3440 2464 53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe"C:\Users\Admin\AppData\Local\Temp\53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exeC:\Users\Admin\AppData\Local\Temp\53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3440
-