Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d6a6a791bc...07.exe

windows7-x64

10

d6a6a791bc...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 03:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007.exe

  • Size

    53KB

  • MD5

    ed95af82d70db8a1971422a315317709

  • SHA1

    29e5aa660ce39fad470c0957deae3aba1dd7c1f5

  • SHA256

    d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007

  • SHA512

    33646eea3f3db15b070629b0bb767288c3929462f49f9b39a5d0f38320667391b7d10c313fc60cc678f9969f35ea52c01e59b6076451bb6a3b2f46770d947e0d

  • SSDEEP

    1536:vNIg8r8QorPo/D37Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:TrPiJJjmLM3zRJWZsXy4Jt

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007.exe
    "C:\Users\Admin\AppData\Local\Temp\d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\yoakaa.exe
      "C:\Users\Admin\yoakaa.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2748

Network

  • flag-us
    DNS
    ns4.thepicturehut.net
    d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007.exe
    Remote address:
    8.8.8.8:53
    Request
    ns4.thepicturehut.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    ns4.thepicturehut.net
    dns
    d6a6a791bc32e2e75e73d0bed316f4e9fd7eea8451064defa44055e5740f3007.exe
    67 B
     140 B
     1
    1

    DNS Request

    ns4.thepicturehut.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\yoakaa.exe
    Filesize

    53KB

    MD5

    0db1a9683b00e5afa10eefef5be22f12

    SHA1

    083edf0d252752b96820792f326f6a9f626608db

    SHA256

    18e5a5f576527eb31690b120257c6f371dacfc7909c7d2f7c91e449c6196c8fc

    SHA512

    ebc95c5af31b0b22fc4c276c7e1c222c47ca9c988cbf0fb81681b6b9968ee7140f9dab2ecc86835ef674a3946c66dfe38c9397836d88b2cb97235ca879176d9b

    Download Submit

  • memory/2120-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2120-9-0x0000000003A60000-0x0000000003A72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2120-15-0x0000000003A60000-0x0000000003A72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2748-16-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.