Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 06:46

General

  • Target

    5be6e2c83e2ed19e4b2c9ea83b734860N.exe

  • Size

    497KB

  • MD5

    5be6e2c83e2ed19e4b2c9ea83b734860

  • SHA1

    f1e4b6ef5b36d2098b652fd2ee5c2bad936ef7dc

  • SHA256

    140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896

  • SHA512

    c051251bb6d8dd4e79aaa50f1a7450e3954c2168ebd68c3589cb2a03c24183d1c920925aa4727609aa2b1924f2ff9a48379273084b44755916bd9d011b140f03

  • SSDEEP

    6144:yiNjjdOCJnUNKMEPDGeoo1HyisWW4g0QTxbGctE6Jm20tdVgWwAidpNCgrBF:TjjwULQoN84XQT08JoVgWwAkAQ

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe
    "C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3984
    • C:\PerfLogs\svchost.exe
      C:\PerfLogs\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\svchost.exe

    Filesize

    497KB

    MD5

    a73e59c29dd7cb063c1b8abfa6850f09

    SHA1

    c82051f7cb6e3900dad881c316354338ac1a4692

    SHA256

    f9dad7643ee17f2f27dc1375aef425aa7eb5ae6d5345100b7d14d4424c11ffae

    SHA512

    9ad22e96477c9f2440a6864136c6d1174eb56b4d019df74978c65d2764ec0e984fd7b2b9c41e17527b7ef899a12a3c1b1a9a930c33a7e2fd76c975ab3d70ae37

  • C:\Users\CCLGYY.EXE

    Filesize

    497KB

    MD5

    4c88ef5b4caa97c36ffc6a3377e9765c

    SHA1

    7aa4ddf3a384286173d7f24ff0050343020c0c15

    SHA256

    22f6c7e7811a7e9496d754f22a520e5275b32453a83535a732c41ed99a15145e

    SHA512

    bdd6ebb85f069b5340781f9cb02cc18b972fb1794c664a4012351dd110139be84d9bb293fc2620fd65e95b9ff5256005f384402c0fdbb303d58debd116ed8473

  • C:\Windows\SysWOW64\Ms7002.dll

    Filesize

    52KB

    MD5

    876a2a99b81968f5b26e3cbe12063d2b

    SHA1

    7afa8f33b691b2651b65eb07220cc2fda4b7537c

    SHA256

    f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0

    SHA512

    ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

  • C:\filedebug

    Filesize

    205B

    MD5

    2f389f0dca36e22c0811db7d260f740c

    SHA1

    62077f3a13d559730db541c11f155079d37d5e0b

    SHA256

    9aa5af3786fe23809bdda6c6ac7b8fbe0ae20fc9da1c28b82bb9b7516ffae52b

    SHA512

    1e0457183b5bf9061311bfcb2c714f9d006ea4b71beff43e065426d1eddcb5f98991dbf9922586b9e59c36638956ff6491244816a8097d01f05a2a99eb0e9e1f

  • memory/2428-25-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

  • memory/2428-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

  • memory/2508-0-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB