Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
32556f32e58...18.exe
windows7-x64
72556f32e58...18.exe
windows10-2004-x64
7$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...pt.dll
windows7-x64
1$PLUGINSDI...pt.dll
windows10-2004-x64
1$SYSDIR/co...ve.exe
windows7-x64
7$SYSDIR/co...ve.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$_5_.dll
windows7-x64
6$_5_.dll
windows10-2004-x64
6Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsBrowserOpt.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsBrowserOpt.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$SYSDIR/cont_coolblueads-remove.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$SYSDIR/cont_coolblueads-remove.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$_5_.dll
Resource
win7-20240220-en
General
-
Target
$SYSDIR/cont_coolblueads-remove.exe
-
Size
99KB
-
MD5
aa3e85010280be2efac3ae7f55f36e23
-
SHA1
d8dc17711d337a9c81695ec31e7abcae33b00fc9
-
SHA256
53d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec
-
SHA512
42d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0
-
SSDEEP
3072:Wd/vyWmJtkAscJdpDILoRxQHUxe6Gg9m+mDbAi:WX4kAsFo/qUxe6GgUhIi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3188 Au_.exe -
Loads dropped DLL 1 IoCs
pid Process 3188 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral10/files/0x0007000000023435-4.dat nsis_installer_1 behavioral10/files/0x0007000000023435-4.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3188 4852 cont_coolblueads-remove.exe 84 PID 4852 wrote to memory of 3188 4852 cont_coolblueads-remove.exe 84 PID 4852 wrote to memory of 3188 4852 cont_coolblueads-remove.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5cd6e705cc6992e869f488ab211ac37cb
SHA1c9c71edd929c15bcf5ee286d4a9e9259d1590eb5
SHA25644e729371099650904bcd5db0af7fdad6ffc01e336ae464f0bb151f329175292
SHA512460173bbcff640721e54bb403e1f46d274e649a9db7d3b83d009a7f00354d434874dfdc009679e98cfb05548801b9eee78c25fe17b083fac396087ad3327debf
-
Filesize
455B
MD5f3f50872811c27d8641e751e66181765
SHA118f670200bb77ed57aac5aeafe86fb74ec5bcbfe
SHA2568af8de8af9eb8801263e95069a4d339eb2920d6a3d1fe89297495b2af4f63980
SHA5125ea6655492ac93a16379f9a56a814bd2125b0d49babfd6f965991b9f53a2fbc4dd9e6a3f7d78d5c69b173a77de175a83b47013a448e1444e134f5602a77ca1d9
-
Filesize
507B
MD5750e564b420aff5a4162edc0cbfcb96b
SHA1ab64eb60f1f9b8104ca20e3d40173d01e4493ded
SHA2569bb6e0b86d30572555695db8bfcd1ff4f75c5c2ef209581aed207285611225dd
SHA5121bcbdb6abf7e19baff8d5e4664e6efc5ffefe7b8bdf687880115a60bce5cce90415a37c32c2a264f8570bd37667ecab952fcb75c6a0d0bd16a394a83c1ff6671
-
Filesize
99KB
MD5aa3e85010280be2efac3ae7f55f36e23
SHA1d8dc17711d337a9c81695ec31e7abcae33b00fc9
SHA25653d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec
SHA51242d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0