Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
rCRW51901537.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
rCRW51901537.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20250129-en
General
-
Target
rCRW51901537.exe
-
Size
903KB
-
MD5
5e61c03c8a975e86e792bfa3f671ba64
-
SHA1
63ce77c1135445358dfae6f106e964546fdc025d
-
SHA256
ea08fba535ff837c953efbd7e664aa22bec2f4784d2d66e3dea3b357b705d973
-
SHA512
fe51514c8b8563b6e32a4369fab1d3f5af840768cdad3cd5887fbde5a9e47ac9edec446e2776fa3f998d71977fe8034e1da5069684389f6073ce78d910dedb20
-
SSDEEP
24576:Xiln2+hjdsfdMks3KgZ32Z8ImwIQSEab+W0Ab:Xonzds1MkkKBZ8I1RSTb+m
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2824 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 908 rCRW51901537.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rCRW51901537.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2824 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 908 wrote to memory of 2824 908 rCRW51901537.exe 29 PID 908 wrote to memory of 2824 908 rCRW51901537.exe 29 PID 908 wrote to memory of 2824 908 rCRW51901537.exe 29 PID 908 wrote to memory of 2824 908 rCRW51901537.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\rCRW51901537.exe"C:\Users\Admin\AppData\Local\Temp\rCRW51901537.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Ideographic=gc -raw 'C:\Users\Admin\AppData\Local\Discernibly\lagringsformers\kasusbjning\Degaardenes179\Bloter.Ino';$Reigned=$Ideographic.SubString(70797,3);.$Reigned($Ideographic) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5ff66a9c96e345d70d38cc3a3abb6aaf6
SHA14983d3dc65bb245e9ba5b5777a75faccc2b76459
SHA25603c46abaa1a37f0998ebb5da7ee3cad386037de6821958f1c7517ed10f7a846a
SHA51236f25fcd0af78503a951f953bb65632735148902f5cf59aedfee2b74d649e57498f8ac047046448939aeed16539895746621fa91b489061be1219746921696f3
-
Filesize
6KB
MD5b55f7f1b17c39018910c23108f929082
SHA11601f1cc0d0d6bcf35799b7cd15550cd01556172
SHA256c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
SHA512d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa