Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe
Resource
win10v2004-20231222-en
General
-
Target
7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe
-
Size
4.6MB
-
MD5
93c9a67a0f183f4f1d9e3fdc7e8f8e69
-
SHA1
dacbe33276dc970cc778a4f62407ddb1ae65f64e
-
SHA256
7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba
-
SHA512
ec623ef15667f28d4e55da66f9846050da1bd78f0664f4d621090962ddd47855a4b4401bfa55253b687b441b0da59aa5c8ad3d50f1676264fb76c0cae54df77e
-
SSDEEP
98304:Qr/6Qib7v2y401+uJM5Opa5iSYasIHvvaNjTfcrXKNWf/8ITZJJ1yK9/4dm8:Y6Qizj+OmOpa5iPnIHa+20dTZL9/4dD
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/2680-154-0x0000000000730000-0x00000000007D2000-memory.dmp family_socks5systemz behavioral2/memory/2680-148-0x0000000000730000-0x00000000007D2000-memory.dmp family_socks5systemz behavioral2/memory/2680-161-0x0000000000730000-0x00000000007D2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 220 printqueuemessaging.exe 2680 printqueuemessaging.exe -
Loads dropped DLL 3 IoCs
pid Process 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3824 5080 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe 90 PID 5080 wrote to memory of 3824 5080 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe 90 PID 5080 wrote to memory of 3824 5080 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe 90 PID 3824 wrote to memory of 4576 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 93 PID 3824 wrote to memory of 4576 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 93 PID 3824 wrote to memory of 4576 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 93 PID 3824 wrote to memory of 220 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 97 PID 3824 wrote to memory of 220 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 97 PID 3824 wrote to memory of 220 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 97 PID 4576 wrote to memory of 2892 4576 net.exe 95 PID 4576 wrote to memory of 2892 4576 net.exe 95 PID 4576 wrote to memory of 2892 4576 net.exe 95 PID 3824 wrote to memory of 2680 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 94 PID 3824 wrote to memory of 2680 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 94 PID 3824 wrote to memory of 2680 3824 7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe"C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp"C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp" /SL5="$C002E,4573314,54272,C:\Users\Admin\AppData\Local\Temp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 1923⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 1924⤵PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe"C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe" -s3⤵
- Executes dropped EXE
PID:2680
-
-
C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe"C:\Users\Admin\AppData\Local\Print Queue Messaging\printqueuemessaging.exe" -i3⤵
- Executes dropped EXE
PID:220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD59213e27616582dee1ad4f5cec73ee881
SHA1cccc0cca7b390fd19c2bcc212ea7ca689dd52187
SHA256c99750048ff5e576535ccf1c5aae655e85248edc7dde00f46b7a669ad48f49c2
SHA5123b30ed9c7bfaa9f2a634e82055ac110eb6f143f341ae0e90203bd1e7d2f4c5f81e49d2607b3d97762a4751e61bf436dfece1f264a02caabf1762b6894a0f71f6
-
Filesize
832KB
MD5f7e050aaa97267ee9601de833eafaf18
SHA154ceadb4e33607bdf80ceac0130341ee31a8ca33
SHA256d97ab730a769ba4538f819f0ef8bbf57b39bd4b1a29522a7645e8ede0608898a
SHA512b8a046c1a94f24d90151ca5d0ebe0dc2b2be8f7c374d1b1c640cf88147dd895c15a059e1c24294bae14bd280c7bb58e7709738235151aefbdc77d0e861af9238
-
Filesize
92KB
MD5b79b1ac4f708fe159f96adcebad15928
SHA161c5c99c6d488e993b0ce87847b422e99797d3b4
SHA256d9655cb2cb8f132f46155844e4539202479a0b1ef64505695e528465e5e06799
SHA5124a25e4f6dcb4b2147dafdd3491f8ef2b5127f61c8ff313865ac05c54053816ffd6e2e8db1eb41e21626cd45da00b520678377b8b9a0e8241618256e0fcf5b41e
-
C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
Filesize688KB
MD5a7662827ecaeb4fc68334f6b8791b917
SHA1f93151dd228d680aa2910280e51f0a84d0cad105
SHA25605f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d
SHA512e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a
-
C:\Users\Admin\AppData\Local\Temp\is-HGE8I.tmp\7fc493af09b5db4be092f609adb357414e8a2c19bb191421bb057fe1acb2c3ba.tmp
Filesize129KB
MD5c8472a0ff7e934184a260d079b3c9427
SHA101e790b2cacd0f691cd30fa1f40e7a91e623ecba
SHA256c47b003d9de62a24d131ffcccb93b106a16f5087058ddb22b06f77025e41208a
SHA512801ae09d9dff931e5f3d494d3348ebabd5844e66690e280e698b3d26358ba1bba5399501f756a81cdecd101a6ea7f9770ed48099982f6791dbcabac8be45d3c1
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4