Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:17

General

  • Target

    d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe

  • Size

    369KB

  • MD5

    b6c96e7e2111b5ee133675104824493c

  • SHA1

    abf5259cbaf7e73721523719bee61a5586c47d21

  • SHA256

    d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db

  • SHA512

    3a4e395961ad70a806df4dd16ccac9ee6d692ffb4f7180c3409ad9dc8168c4f28f83b8201d3f2a7bde01f6bc820993881b85905e5768faf769a50649d1a096c0

  • SSDEEP

    6144:2n6zJ4mHcCLCYTnWz79nWz7NYp6hYp6rvDLuimKkBREsVf+3Kg4:16m2QiQrfqREx4

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
    "C:\Users\Admin\AppData\Local\Temp\d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:1764
    • C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe
      "C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe" s
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe

    Filesize

    371KB

    MD5

    e182c531712bd6a577c209b51f7015bc

    SHA1

    2a2114d9f3cb2c6732c82b52bf6943bbc6b87ab0

    SHA256

    ecbf2f77d0fd99ba61f49c376c95e9e2223f0492b785b14a1e3d870e0d0889cb

    SHA512

    c553c6eb502ed75b252fb4a34b4af036c931102ee74d19a31fcd04d0949112943a3b969accc20c9ac620f1b9eb33ea5742f0c17d157a389f4ace90183dbe742b

  • memory/2228-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

    Filesize

    4KB

  • memory/2228-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-3-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-4-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-13-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-14-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-15-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB