Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
15/04/2024, 11:19
240415-nfa1nada96 1010/04/2024, 03:13
240410-dqqhzsfh2w 1010/04/2024, 03:12
240410-dqp78ace62 1010/04/2024, 03:12
240410-dqplpafh2v 1010/04/2024, 03:12
240410-dqpaxsce59 1022/12/2023, 00:59
231222-bb35escaf6 10Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 11:19
Behavioral task
behavioral1
Sample
3e58382005322606bd6ae12da2f209b1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3e58382005322606bd6ae12da2f209b1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
3e58382005322606bd6ae12da2f209b1.exe
Resource
win10v2004-20240412-en
General
-
Target
3e58382005322606bd6ae12da2f209b1.exe
-
Size
209KB
-
MD5
3e58382005322606bd6ae12da2f209b1
-
SHA1
0afab0c2514061f3d341f720705e54aad4a4f36e
-
SHA256
9ab42dd0edbb92405904350c550525878312858405e737c7414025dab5981c80
-
SHA512
13c8df1f07d1584cc827fcc78b691cac78e7cd95ad0e2578974acb9bd8b0c2770d410d743fdc84ffa4c1a431ebe05772715d6bd57489abb7dc249b43b241c1ee
-
SSDEEP
6144:YDnLgI91y1UkT57iJz/DpURWPSvHuUiYphu1UR:cnLh9yn52rpUR5vHuRYpM+R
Malware Config
Extracted
systembc
yan0212.com:4039
yan0212.net:4039
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2660 wxwt.exe -
resource yara_rule behavioral1/files/0x000d00000001231c-6.dat upx -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\wxwt.job 3e58382005322606bd6ae12da2f209b1.exe File opened for modification C:\Windows\Tasks\wxwt.job 3e58382005322606bd6ae12da2f209b1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2744 3e58382005322606bd6ae12da2f209b1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2660 2920 taskeng.exe 29 PID 2920 wrote to memory of 2660 2920 taskeng.exe 29 PID 2920 wrote to memory of 2660 2920 taskeng.exe 29 PID 2920 wrote to memory of 2660 2920 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e58382005322606bd6ae12da2f209b1.exe"C:\Users\Admin\AppData\Local\Temp\3e58382005322606bd6ae12da2f209b1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
C:\Windows\system32\taskeng.exetaskeng.exe {242EC31B-0357-4FF0-A364-0FE80B0386D5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\ProgramData\bpdpqf\wxwt.exeC:\ProgramData\bpdpqf\wxwt.exe start2⤵
- Executes dropped EXE
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD53e58382005322606bd6ae12da2f209b1
SHA10afab0c2514061f3d341f720705e54aad4a4f36e
SHA2569ab42dd0edbb92405904350c550525878312858405e737c7414025dab5981c80
SHA51213c8df1f07d1584cc827fcc78b691cac78e7cd95ad0e2578974acb9bd8b0c2770d410d743fdc84ffa4c1a431ebe05772715d6bd57489abb7dc249b43b241c1ee