Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 07:43
Static task
static1
Behavioral task
behavioral1
Sample
90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe
Resource
win10v2004-20221111-en
General
-
Target
90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe
-
Size
180KB
-
MD5
99a6c932299f6fefcd309b5df856144a
-
SHA1
6f9d7ae184364f01a2de88a622595d88beaaf34f
-
SHA256
90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f
-
SHA512
48caa8aee227b4b9653e3e26a294d687bbf20c5c953b707091e89a418590bd288925606ce2a133fdda1b2b96404b6c01f2e97c70dbd0e17f00571003dfd16461
-
SSDEEP
3072:8/Y8pA0noJD0hCkIThWQIKXTZaZN6V4y5NfAi:8/jMJ5J1zJXoH/i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1948 Ifyzaa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run Ifyzaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\QZAIB7KITK = "C:\\Windows\\Ifyzaa.exe" Ifyzaa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe File created C:\Windows\Ifyzaa.exe 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe File opened for modification C:\Windows\Ifyzaa.exe 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International Ifyzaa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1644 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe 1948 Ifyzaa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1948 1644 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe 28 PID 1644 wrote to memory of 1948 1644 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe 28 PID 1644 wrote to memory of 1948 1644 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe 28 PID 1644 wrote to memory of 1948 1644 90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe"C:\Users\Admin\AppData\Local\Temp\90a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Ifyzaa.exeC:\Windows\Ifyzaa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD599a6c932299f6fefcd309b5df856144a
SHA16f9d7ae184364f01a2de88a622595d88beaaf34f
SHA25690a1afa7f79db333125b8e28cd85b4624af46d1853dea8af56e8383796daaa2f
SHA51248caa8aee227b4b9653e3e26a294d687bbf20c5c953b707091e89a418590bd288925606ce2a133fdda1b2b96404b6c01f2e97c70dbd0e17f00571003dfd16461
-
Filesize
408B
MD59f0b892607c5eccce3026e250da1e60b
SHA131084ce3c1efa4e979bb86a3328b56ba4eac0747
SHA256637a66e56b905cb8800c234e10a49c5a1aaae06d1505f001ec5d1b45d6779119
SHA512040573ab8453dff86f6ffbb06a060895bf918c9126982a2c9c47f6446ac76eaadb46b657f4977f507db992673f4ee1c1ec73f9df83077adb6e94139ed4e0c8ca