Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/02/2025, 03:10

250209-dn49cstkez 10

08/06/2024, 08:50

240608-krvyesae91 10

08/05/2024, 16:15

240508-tqnx6ach3w 10

08/05/2024, 16:07

240508-tkr3mafa54 10

01/05/2024, 18:02

240501-wmf49acg3s 6

27/04/2024, 08:46

240427-kpfeysff8s 10

25/04/2024, 21:25

240425-z9y55afb7v 10

25/04/2024, 21:16

240425-z4pphafa97 10

25/04/2024, 18:27

240425-w3929sde33 10

Analysis

  • max time kernel
    21s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 10:18

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T10:20:27Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_21-dirty.qcow2\"}"

General

  • Target

    Memz.exe

  • Size

    14KB

  • MD5

    19dbec50735b5f2a72d4199c4e184960

  • SHA1

    6fed7732f7cb6f59743795b2ab154a3676f4c822

  • SHA256

    a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

  • SHA512

    aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

  • SSDEEP

    192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Memz.exe
    "C:\Users\Admin\AppData\Local\Temp\Memz.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3276
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3980
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3028
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4088
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1912
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      PID:3048
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:3148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads