Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/03/2025, 04:04
Behavioral task
behavioral1
Sample
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe
Resource
win7-20240903-en
General
-
Target
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe
-
Size
729KB
-
MD5
98f37b55bc2ae96024a8cb8314d6e653
-
SHA1
07ba58f1f7fb475377ea30413831977187ec612e
-
SHA256
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9
-
SHA512
f6369fb6954ddc0ccf1fad132a011a5d3bce71cc1417d8394618eabdefa0c5e5650100ab74d9c82f761d94c7bb5cdb49436a2c4d5a1e069d6061b47cf7dd5a14
-
SSDEEP
12288:CquErHF6xC9D6DmR1J98w4oknqOOCyQfxXPp6wRr85P3DRZmI9SrIhnqe4DXc8Xj:Hrl6kD68JmlotQf/Rr8AwKDT
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Darkcloud family
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000016ea4-46.dat acprotect -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hurtling.vbs hurtling.exe -
Executes dropped EXE 1 IoCs
pid Process 2480 hurtling.exe -
Loads dropped DLL 2 IoCs
pid Process 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 2832 svchost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1108-17-0x00000000000A0000-0x000000000023A000-memory.dmp autoit_exe behavioral1/memory/2480-34-0x0000000000220000-0x00000000003BA000-memory.dmp autoit_exe behavioral1/memory/2480-43-0x0000000000220000-0x00000000003BA000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2480 set thread context of 2832 2480 hurtling.exe 31 -
resource yara_rule behavioral1/memory/1108-0-0x00000000000A0000-0x000000000023A000-memory.dmp upx behavioral1/files/0x0007000000016dd1-13.dat upx behavioral1/memory/1108-17-0x00000000000A0000-0x000000000023A000-memory.dmp upx behavioral1/memory/2480-20-0x0000000000220000-0x00000000003BA000-memory.dmp upx behavioral1/memory/2480-34-0x0000000000220000-0x00000000003BA000-memory.dmp upx behavioral1/memory/2832-48-0x00000000745D0000-0x0000000074639000-memory.dmp upx behavioral1/files/0x0009000000016ea4-46.dat upx behavioral1/memory/2480-43-0x0000000000220000-0x00000000003BA000-memory.dmp upx behavioral1/memory/2832-53-0x00000000745D0000-0x0000000074639000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hurtling.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2480 hurtling.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 2480 hurtling.exe 2480 hurtling.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 2480 hurtling.exe 2480 hurtling.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2832 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1108 wrote to memory of 2480 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 30 PID 1108 wrote to memory of 2480 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 30 PID 1108 wrote to memory of 2480 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 30 PID 1108 wrote to memory of 2480 1108 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 30 PID 2480 wrote to memory of 2832 2480 hurtling.exe 31 PID 2480 wrote to memory of 2832 2480 hurtling.exe 31 PID 2480 wrote to memory of 2832 2480 hurtling.exe 31 PID 2480 wrote to memory of 2832 2480 hurtling.exe 31 PID 2480 wrote to memory of 2832 2480 hurtling.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Countee\hurtling.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5eab6fde96f9c418abef519035d2af89f
SHA1d66d02553ba27f4afbe1a24068e4ded9f1b318b9
SHA256fd1dcf9fbe49430a242974e7fe8016ad8fcaf7e9f15b60b629ab10722ef9fde4
SHA5126000be1e086003a6f1d193e645b3c8edc4b84e040810129208d98a6e1935d49c3d99dad4eaee498aa11062a796ed8879da848b9db91f01b42b490adf5e4ed231
-
Filesize
729KB
MD598f37b55bc2ae96024a8cb8314d6e653
SHA107ba58f1f7fb475377ea30413831977187ec612e
SHA2568fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9
SHA512f6369fb6954ddc0ccf1fad132a011a5d3bce71cc1417d8394618eabdefa0c5e5650100ab74d9c82f761d94c7bb5cdb49436a2c4d5a1e069d6061b47cf7dd5a14
-
Filesize
161KB
MD5073a17b6cfb1112c6c838b2fba06a657
SHA1a54bb22489eaa8c52eb3e512aee522320530b0be
SHA256dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab
SHA5125bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e