Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/06/2024, 02:24

240612-cv27xayfnl 8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 02:24

General

  • Target

    ReYANG-win.exe

  • Size

    45.0MB

  • MD5

    b23926a5155fdb7b6a2b346798b3ed89

  • SHA1

    f765081c0ff0e84008f30dcdf75293ae5f79a7b3

  • SHA256

    840a59be8a916081f7f969ece99b1986ba2b46f9c7d3ea23a2e39fee6d16f090

  • SHA512

    94d3a32d4c862079ffa52582ff3357bbdfeffc40fb1761702249e9de461fdfcf1198a95f3589e34ce0c495b4b2ec273122abfb6697d3efa079407fe6d76ac4fe

  • SSDEEP

    786432:fMguj8Q4VfvSqFTrY3KeKv6xugIm7DpZI:fiAQIHSkHb6xp7DpZI

Malware Config

Signatures

  • Contacts a large (607) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ReYANG-win.exe
    "C:\Users\Admin\AppData\Local\Temp\ReYANG-win.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    PID:4764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\config.yml

    Filesize

    1KB

    MD5

    98d55c31ac02b32ac3c147cad3a97ed0

    SHA1

    1d72218c5cdd5cfe65187d66833eeaa16fad9368

    SHA256

    b61bac80531f43058953c0747218203b4794908db361ed0a032d79f1168f6bdc

    SHA512

    36e48ab538dc41350ad4cb2a0127a1727db54b136e65f12526ac1648d884e462a28ebf7f7ca85eff37da5e7de9baddac9b28819395e65a7eb3dc83dbdd50f78e

  • C:\Users\Admin\AppData\Local\Temp\pkg-epSjFc\3cb442a7039ddcad2aac3f8bd5bfd6a4f9ff253ce47c1616b3a4495f11a5d0b9

    Filesize

    1.8MB

    MD5

    3072b68e3c226aff39e6782d025f25a8

    SHA1

    cf559196d74fa490ac8ce192db222c9f5c5a006a

    SHA256

    7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

    SHA512

    61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

  • C:\Users\Admin\AppData\Local\Temp\pkg-epSjFc\5c9a74674baa49a8cc3965a2d84a4f89cd4ea1a459a9b493fc02a581c95bf3a8

    Filesize

    137KB

    MD5

    04bfbfec8db966420fe4c7b85ebb506a

    SHA1

    939bb742a354a92e1dcd3661a62d69e48030a335

    SHA256

    da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

    SHA512

    4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65