Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
d6e877128b87282e4534d70de7820334.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d6e877128b87282e4534d70de7820334.exe
Resource
win10v2004-20240226-en
General
-
Target
d6e877128b87282e4534d70de7820334.exe
-
Size
116KB
-
MD5
d6e877128b87282e4534d70de7820334
-
SHA1
bca452473d17be00f3be8686e7d3330289f8012e
-
SHA256
e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
-
SHA512
84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
-
SSDEEP
3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5z/U:SZRcx5VMpOKXur2Qf+5z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4220 Ehazya.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ehazya.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d6e877128b87282e4534d70de7820334.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d6e877128b87282e4534d70de7820334.exe File created C:\Windows\Ehazya.exe d6e877128b87282e4534d70de7820334.exe File opened for modification C:\Windows\Ehazya.exe d6e877128b87282e4534d70de7820334.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ehazya.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main Ehazya.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\International Ehazya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe 4220 Ehazya.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2012 wrote to memory of 4220 2012 d6e877128b87282e4534d70de7820334.exe 91 PID 2012 wrote to memory of 4220 2012 d6e877128b87282e4534d70de7820334.exe 91 PID 2012 wrote to memory of 4220 2012 d6e877128b87282e4534d70de7820334.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Ehazya.exeC:\Windows\Ehazya.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:4220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5309fc7d3bc53bb63ac42e359260ac740
SHA12064f80f811db79a33c4e51c10221454e30c74ae
SHA256ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa
SHA51277dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8
-
Filesize
116KB
MD5d6e877128b87282e4534d70de7820334
SHA1bca452473d17be00f3be8686e7d3330289f8012e
SHA256e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
SHA51284d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
-
Filesize
362B
MD5b0235500b8bd378b0bafb856fb580c62
SHA129dd18333732cbf21574962100ffc4e484abd722
SHA256ee3b0f263512dd2e32ef1d79a7a2cfb05a2483759e5db69dd3a7414ac8b8716c
SHA5126e98acce02d8994b21f063746772f8bd5036b6087ded7d6005ed0cb1810bdf2821cd4ea35ed97b9ad336bd5acbe88a637059aa6067080bd53aaad368639af485