Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 16:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b92afc8171c8cdc19c7820918c158aa5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b92afc8171c8cdc19c7820918c158aa5.exe
Resource
win10v2004-20240226-en
General
-
Target
b92afc8171c8cdc19c7820918c158aa5.exe
-
Size
110KB
-
MD5
b92afc8171c8cdc19c7820918c158aa5
-
SHA1
368503d281c302c21781c848ddfb5b2c70b27f81
-
SHA256
221e164123aa6502404587f485e867c8aff134cbea456e29ed49c6f58fbab396
-
SHA512
7f954e21ba73896c7d904e8a65f922144feea739820624f8abe1f11e529d47f956c49fccd6cef6f528c63da594c2e2e5c0106f01a98cf8ce3fa0e064010ab303
-
SSDEEP
3072:I9xKpyyf826+u06kM4C0wQNeoBPqvtokhAlgqMdoHbqamV1/GjFIy:PByd0w2ewqiMAOqOoH2jY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2944 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2944 2892 b92afc8171c8cdc19c7820918c158aa5.exe 28 PID 2892 wrote to memory of 2944 2892 b92afc8171c8cdc19c7820918c158aa5.exe 28 PID 2892 wrote to memory of 2944 2892 b92afc8171c8cdc19c7820918c158aa5.exe 28 PID 2892 wrote to memory of 2944 2892 b92afc8171c8cdc19c7820918c158aa5.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b92afc8171c8cdc19c7820918c158aa5.exe"C:\Users\Admin\AppData\Local\Temp\b92afc8171c8cdc19c7820918c158aa5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ynz..bat" > nul 2> nul2⤵
- Deletes itself
PID:2944
-
Network
-
Remote address:8.8.8.8:53Requestvnexpress.netIN AResponsevnexpress.netIN A111.65.250.2
-
Remote address:8.8.8.8:53Requestnetlog.comIN AResponsenetlog.comIN A3.93.249.127netlog.comIN A3.213.72.21netlog.comIN A34.230.144.100
-
Remote address:8.8.8.8:53Requestnetlog.comIN A
-
Remote address:8.8.8.8:53Requestnetlog.comIN A
-
Remote address:8.8.8.8:53Requestnetlog.comIN A
-
Remote address:8.8.8.8:53Requesthomeway.com.cnIN AResponsehomeway.com.cnIN A82.157.151.50
-
Remote address:8.8.8.8:53Requestinstantloadflash.inIN AResponse
-
Remote address:8.8.8.8:53Requestadobejam.inIN AResponse
-
Remote address:8.8.8.8:53Requestadobejam.inIN A
-
Remote address:8.8.8.8:53Requestclashjamwallop.inIN AResponse
-
59 B 75 B 1 1
DNS Request
vnexpress.net
DNS Response
111.65.250.2
-
224 B 104 B 4 1
DNS Request
netlog.com
DNS Request
netlog.com
DNS Request
netlog.com
DNS Request
netlog.com
DNS Response
3.93.249.1273.213.72.2134.230.144.100
-
60 B 76 B 1 1
DNS Request
homeway.com.cn
DNS Response
82.157.151.50
-
65 B 118 B 1 1
DNS Request
instantloadflash.in
-
114 B 110 B 2 1
DNS Request
adobejam.in
DNS Request
adobejam.in
-
63 B 116 B 1 1
DNS Request
clashjamwallop.in
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD582320a4e408bcafdecc4631b434ce85d
SHA1da8862ded6e2dceea49c3eb36904cb785d61339d
SHA256cbef9c81d9f1ce6a873f68c232c264e3e2158addf05f79acd6256c79c6fdcb0c
SHA51243f2b94d01c8a34648bc9a0476bfa3650103f741c06330a04f5428590fcc0d672be5240171f15f50dcaab8f0333af26224fb9674c41cc69fc9e16c5bbe07068e