Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
27/08/2023, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Resource
win10v2004-20230703-en
General
-
Target
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
-
Size
2.6MB
-
MD5
583f6b00c52bd5afc1d8056fc545fca7
-
SHA1
e820d03d6eac8af0cef5e9737738bec7b491d432
-
SHA256
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866
-
SHA512
e78e58b832a1965889991f235d728661229a1b18a81420d600d695c4b6cd2e4d54ff317591ecd9ec710e49e020b2392b584fc5cfbaeb6f8a07caa4284a3f5130
-
SSDEEP
49152:RbIrl/Uxldber4n1GVxBQb0OuNoe1IF/E0YoNFaHGuQBffy:RErl/UH9j1sBQbTuNKdEVHGuQdf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2328 jdyvpuueuj.exe 2184 jdyvpuueuj.tmp -
Loads dropped DLL 6 IoCs
pid Process 2680 cmd.exe 2328 jdyvpuueuj.exe 2184 jdyvpuueuj.tmp 2184 jdyvpuueuj.tmp 2184 jdyvpuueuj.tmp 2184 jdyvpuueuj.tmp -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\XYRadish\is-JC3MA.tmp jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\is-1KKG0.tmp jdyvpuueuj.tmp File opened for modification C:\Program Files (x86)\XYRadish\ScreenCapture.exe jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\is-O1UQ8.tmp jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\is-JV52T.tmp jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\is-LUCLE.tmp jdyvpuueuj.tmp File opened for modification C:\Program Files (x86)\XYRadish\libEGL.dll jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\unins000.dat jdyvpuueuj.tmp File created C:\Program Files (x86)\XYRadish\is-0EURC.tmp jdyvpuueuj.tmp File opened for modification C:\Program Files (x86)\XYRadish\unins000.dat jdyvpuueuj.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 2184 jdyvpuueuj.tmp 2184 jdyvpuueuj.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2184 jdyvpuueuj.tmp -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2680 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 28 PID 2524 wrote to memory of 2680 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 28 PID 2524 wrote to memory of 2680 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 28 PID 2524 wrote to memory of 2680 2524 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 28 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2680 wrote to memory of 2328 2680 cmd.exe 30 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31 PID 2328 wrote to memory of 2184 2328 jdyvpuueuj.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe"C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp"C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp" /SL5="$A0124,150686,54272,C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2184
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f
-
Filesize
446KB
MD584e9fe774a5f14512c5b23ac3fd41304
SHA1a503ab93af16de8be4f303ae145ada68ea9a7843
SHA2567ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679
SHA51204b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5
-
Filesize
446KB
MD584e9fe774a5f14512c5b23ac3fd41304
SHA1a503ab93af16de8be4f303ae145ada68ea9a7843
SHA2567ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679
SHA51204b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5
-
Filesize
242KB
MD5235b6e53b2ab785da9dac7ded3aa2739
SHA18e6d4ee9ed2f01b7dc45b4f032f8d78feed77307
SHA2561c563ca37788b1fc72d1c3d134f7d0689c0edfc8c4a12579fe45a92385f45a3e
SHA512b72479b0d03e458ec6da815ed8f2c811ec1f0a6c60bcdae26cf0fa2e92ce964ce56eb81e7610253825fb754eadf19445af57d8ced9a8ff7eaf68b1b527701297
-
Filesize
907KB
MD504a36dd3e9af18ce7c7cfa7e7efa0ca5
SHA11482b795d71d0ed4d95131c304a7396298c072e8
SHA2562fbce5b4d83daee2a6ba4cbbce7eb7cecd66a2390f39f792a02d1a9585803f61
SHA51219351923e2ca22e18a1798b2f6a2d072e9126c30d47c9e4fb0c1b0d42d1a3824f092fec9ea8d43a994aef4a3263226d3534c3e9ad709e138175e2d4b9cf0fa5f
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f
-
Filesize
446KB
MD584e9fe774a5f14512c5b23ac3fd41304
SHA1a503ab93af16de8be4f303ae145ada68ea9a7843
SHA2567ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679
SHA51204b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5