Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
Resource
win10v2004-20220901-en
General
-
Target
88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
-
Size
423KB
-
MD5
61a28ab4086db27d3cdc7376f5a69998
-
SHA1
a9de95c9d407abba3995a3a16a720913b8bab526
-
SHA256
88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d
-
SHA512
9ee6f1d3b178ab12ed3f09fa741d91091e43bbf6fd9a3bc5789f99dfc6a79a113bf3d9ee8ec1263e5d3e3e12d30cfe9ea5a44f63073b0dc002951016b389d3c0
-
SSDEEP
12288:W/O0T9PLWQhwpgIdA/t5tV8xjsgBov6/vYXubE/Wd:fQZ/0jdH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3272 byung.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2828 wrote to memory of 3272 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 84 PID 2828 wrote to memory of 3272 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 84 PID 2828 wrote to memory of 3272 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 84 PID 2828 wrote to memory of 3816 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 85 PID 2828 wrote to memory of 3816 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 85 PID 2828 wrote to memory of 3816 2828 88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe"C:\Users\Admin\AppData\Local\Temp\88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\Vyzoq\byung.exe"C:\Users\Admin\AppData\Roaming\Vyzoq\byung.exe"2⤵
- Executes dropped EXE
PID:3272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa7b98379.bat"2⤵PID:3816
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD5e90836fa19d2fb091fa4b36394779435
SHA1c5e930c9df6e7b72214ead0cdf505e5b2600354b
SHA25676f3ce2634571274347c72e15c546d4f03a1b68eeb0d9aa116113dad17c859f8
SHA512c3bfcbaef6651b44417f7d926ae005e377e2ea209ef4529d36577390e3e03bcd53a0f43261e3d1fdc8cfa11073d0a3340be57d8f149358140e8e50bef64a3d55
-
Filesize
423KB
MD57a6cf99a88417814af08a69a0b3ea8ed
SHA1017992e4572f3f6079bd33c4013e098fcc251a05
SHA256632b578f488e9df393482821610305f010a3a091199310f980e5b1df18a11085
SHA5128102b15c17b5251f8f942852646672f2b62f3db63b0354b81a08c3c41fc75360f1d0ffa7ff9dd58ff30dd100f97bd4d1affdb5b17b2d48222b634ef64c6e13cd
-
Filesize
423KB
MD57a6cf99a88417814af08a69a0b3ea8ed
SHA1017992e4572f3f6079bd33c4013e098fcc251a05
SHA256632b578f488e9df393482821610305f010a3a091199310f980e5b1df18a11085
SHA5128102b15c17b5251f8f942852646672f2b62f3db63b0354b81a08c3c41fc75360f1d0ffa7ff9dd58ff30dd100f97bd4d1affdb5b17b2d48222b634ef64c6e13cd