Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/07/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
Resource
win11-20240709-en
General
-
Target
3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe
-
Size
6.7MB
-
MD5
45c5c737a738f01c4b08bbaa771fa02b
-
SHA1
067a9e35cdd45ff31536203ac7e98ca682f97e1c
-
SHA256
3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b
-
SHA512
3459b1f371d9cb1970251270e3285cbb7591b5e54ef489334ca0a122f24024507da99334d474081421d9810ed2b1acbc4a9d4ec2a657d82c4b6e3696890f537c
-
SSDEEP
98304:qiCQN7R5prsGljcxb+Fja/E05q/M/CUodfvI0CyLNjAY+iTWfkSZ9QwGvZ/u9dkD:/Ce75sGljcqjc5q/MxppZ6xvZ29di
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/644-84-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz behavioral2/memory/644-109-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz behavioral2/memory/644-108-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 3 IoCs
pid Process 2336 is-7TNS7.tmp 2732 mp3cdripperbeta32_64.exe 644 mp3cdripperbeta32_64.exe -
Loads dropped DLL 1 IoCs
pid Process 2336 is-7TNS7.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-7TNS7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mp3cdripperbeta32_64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mp3cdripperbeta32_64.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4112 wrote to memory of 2336 4112 3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe 81 PID 4112 wrote to memory of 2336 4112 3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe 81 PID 4112 wrote to memory of 2336 4112 3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe 81 PID 2336 wrote to memory of 2732 2336 is-7TNS7.tmp 83 PID 2336 wrote to memory of 2732 2336 is-7TNS7.tmp 83 PID 2336 wrote to memory of 2732 2336 is-7TNS7.tmp 83 PID 2336 wrote to memory of 644 2336 is-7TNS7.tmp 84 PID 2336 wrote to memory of 644 2336 is-7TNS7.tmp 84 PID 2336 wrote to memory of 644 2336 is-7TNS7.tmp 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe"C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\is-BD2MT.tmp\is-7TNS7.tmp"C:\Users\Admin\AppData\Local\Temp\is-BD2MT.tmp\is-7TNS7.tmp" /SL4 $60252 "C:\Users\Admin\AppData\Local\Temp\3786fcb6140f9aa71c65abe4a53af23ab35f66ce734736ad2bf6fb1d6b01575b.exe" 6735210 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe"C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe"C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -s3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5538be7e5b91d8e72f0b65d7f25340a18
SHA143b324d412c70dec1f4551552f66990c093351a6
SHA25654e9c3657ec6435e94dfb9ffe9646c3f460254eee05cd9cd61cb15fdeb4b277c
SHA512ef6b3c823994d3e1d063c4f8fa43fd395b84173f4e9e9f7b973b7af19cbba222798aaca330ca54941e80c655b36a341f12e44b620e6ba196f8f04e75d49fecbf
-
Filesize
642KB
MD56580f6f26daf83c5e4d3e3b28e2f70f6
SHA15bc35126a341e038b96923db25c3f5424a631c5e
SHA256e241bd09fc67344895f45de4fb9f147d618a8a5bcec360c83882675e75ebd672
SHA5128f042bbbaec8f0a7cb31cfa44ed0e3d72100e3f3473f442e06ffc7f90322da4cb54979ba51365033cba927b801225d339e64b3b31c3b57483b76bd006908dd36
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63