Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
37e440169a8f25d185e0547245390910N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
37e440169a8f25d185e0547245390910N.exe
Resource
win10v2004-20240709-en
General
-
Target
37e440169a8f25d185e0547245390910N.exe
-
Size
82KB
-
MD5
37e440169a8f25d185e0547245390910
-
SHA1
6ba3e7574cdfc8a7e463a8f6f8ba418edbd68795
-
SHA256
ad21956bf5a65d88ac21e74d90c1ad119d81f732d1b2e8db30180b149531d419
-
SHA512
25b41a92aa02f3ea2416549a17defa1eea2c7a17a0cb8af71e28c8686fbffef69e8d6e58f38024f5b0ccc55439bd313d3624a10803fa24b9440f8e216219608f
-
SSDEEP
768:ChZr2QJL5hMroyCqk6UHLe5XpEs9DLc30spTQcS0NQ:sZdJL5KrMzpH65GcEpZQcSE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3148 jaihost.exe -
resource yara_rule behavioral2/memory/4512-1-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral2/memory/4512-6-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral2/memory/3148-12-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral2/memory/3148-17-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral2/memory/3148-18-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral2/memory/3148-21-0x0000000010000000-0x000000001000E000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\AppPatch\IME\jaihost.exe 37e440169a8f25d185e0547245390910N.exe File created C:\Windows\AppPatch\IME\jaihost.exe 37e440169a8f25d185e0547245390910N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37e440169a8f25d185e0547245390910N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4512 37e440169a8f25d185e0547245390910N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4512 wrote to memory of 3956 4512 37e440169a8f25d185e0547245390910N.exe 88 PID 4512 wrote to memory of 3956 4512 37e440169a8f25d185e0547245390910N.exe 88 PID 4512 wrote to memory of 3956 4512 37e440169a8f25d185e0547245390910N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e440169a8f25d185e0547245390910N.exe"C:\Users\Admin\AppData\Local\Temp\37e440169a8f25d185e0547245390910N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\37E440~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:3956
-
-
C:\Windows\AppPatch\IME\jaihost.exeC:\Windows\AppPatch\IME\jaihost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5348acceac7f0ae08442b8b8dc4ad91f1
SHA1b629a215fd1852943291deae8c9034f2eff9f39b
SHA2561585c6305552f0dda69d82c365dd80d4b5515080795af8ea8a8b99295d5d3a8f
SHA512345828858dcbf0861e0972b5508c060a21734e4bb2dcaac6b85b398d79ab8f1ef70e98cab8ec521afe04b3eda1b8cfd5ea7ab117d67fb449c7b62bb5826f2e2d