Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
Resource
win10v2004-20220901-en
General
-
Target
b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
-
Size
296KB
-
MD5
4bc4eeeada11c489e88c4d7cc6291400
-
SHA1
0b5d4b0ad6b9c73bca5684f0dff9650d89656f85
-
SHA256
b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d
-
SHA512
3803f870a58eaf939e7e877912fbe56230532146d56ff17e70b393d4fe55a014d872145bd60fad9f01eac89eb584ba6fff8b917da57d08c4c8594da537a5fea7
-
SSDEEP
6144:oVsTXF+yaNRUGjcbVkNUS5TEV2XnUfX501kCAgcw3t/EGQhbQaDOlXG7T:zTXF+dRUJGHxEVOr1kCAgcwF1gKo7T
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1664 jaiwyc.exe -
Deletes itself 1 IoCs
pid Process 2032 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run jaiwyc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jaiwyc = "C:\\Users\\Admin\\AppData\\Roaming\\Ohdu\\jaiwyc.exe" jaiwyc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1392 set thread context of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe 1664 jaiwyc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1392 wrote to memory of 1664 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 27 PID 1392 wrote to memory of 1664 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 27 PID 1392 wrote to memory of 1664 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 27 PID 1392 wrote to memory of 1664 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 27 PID 1664 wrote to memory of 1112 1664 jaiwyc.exe 16 PID 1664 wrote to memory of 1112 1664 jaiwyc.exe 16 PID 1664 wrote to memory of 1112 1664 jaiwyc.exe 16 PID 1664 wrote to memory of 1112 1664 jaiwyc.exe 16 PID 1664 wrote to memory of 1112 1664 jaiwyc.exe 16 PID 1664 wrote to memory of 1172 1664 jaiwyc.exe 15 PID 1664 wrote to memory of 1172 1664 jaiwyc.exe 15 PID 1664 wrote to memory of 1172 1664 jaiwyc.exe 15 PID 1664 wrote to memory of 1172 1664 jaiwyc.exe 15 PID 1664 wrote to memory of 1172 1664 jaiwyc.exe 15 PID 1664 wrote to memory of 1212 1664 jaiwyc.exe 14 PID 1664 wrote to memory of 1212 1664 jaiwyc.exe 14 PID 1664 wrote to memory of 1212 1664 jaiwyc.exe 14 PID 1664 wrote to memory of 1212 1664 jaiwyc.exe 14 PID 1664 wrote to memory of 1212 1664 jaiwyc.exe 14 PID 1664 wrote to memory of 1392 1664 jaiwyc.exe 26 PID 1664 wrote to memory of 1392 1664 jaiwyc.exe 26 PID 1664 wrote to memory of 1392 1664 jaiwyc.exe 26 PID 1664 wrote to memory of 1392 1664 jaiwyc.exe 26 PID 1664 wrote to memory of 1392 1664 jaiwyc.exe 26 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1392 wrote to memory of 2032 1392 b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe 28 PID 1664 wrote to memory of 1412 1664 jaiwyc.exe 29 PID 1664 wrote to memory of 1412 1664 jaiwyc.exe 29 PID 1664 wrote to memory of 1412 1664 jaiwyc.exe 29 PID 1664 wrote to memory of 1412 1664 jaiwyc.exe 29 PID 1664 wrote to memory of 1412 1664 jaiwyc.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe"C:\Users\Admin\AppData\Local\Temp\b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe"C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\GKAC99D.bat"3⤵
- Deletes itself
PID:2032
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3119493771438832212742793866-1665390612-63225239512350814825179880341409239703"1⤵PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303B
MD52a64b6233b6f4de2b2403f7bde670ef3
SHA191ffaddbf80d815fdabe6adc965554aba001ffc5
SHA2566470df1c6a84effe0a75606155adce51d2d52d6ca3bfaf9b14c2d221961b0efb
SHA512293565c030c0defd6c03887a920223d57cf7253fb8be3cbe7672ae3a38fa2dcfc99c9075913335b231f5e8e96f05c18b63438f0be6bced92de686254b8e64d31
-
Filesize
296KB
MD5bace63e64a3988b9772522b691f28800
SHA1a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1
SHA256e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217
SHA512087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c
-
Filesize
296KB
MD5bace63e64a3988b9772522b691f28800
SHA1a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1
SHA256e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217
SHA512087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c
-
Filesize
296KB
MD5bace63e64a3988b9772522b691f28800
SHA1a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1
SHA256e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217
SHA512087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c
-
Filesize
296KB
MD5bace63e64a3988b9772522b691f28800
SHA1a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1
SHA256e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217
SHA512087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c