Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
Resource
win10v2004-20240709-en
General
-
Target
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
-
Size
289KB
-
MD5
5e6849658c66ec6b6e83708ea8282abe
-
SHA1
c9372cb19e1dda2bc97da79d42c61bb13880726e
-
SHA256
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a
-
SHA512
f6a1034c65069c670898f9e521e4dee3c8985a2f584e8c8d7764ce974bbe526beaaa8f83f049c020ca1dca8256d000347562546cacde629faa781e354b8cc799
-
SSDEEP
6144:9OMJqCoAe4irtAIVGKaW04YG5kECzJLaQVbU5:9OMJqS8rcRW0k5klJLJbU5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2836 YTH.exe -
Loads dropped DLL 2 IoCs
pid Process 2816 cmd.exe 2816 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\YTH.exe 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe File opened for modification C:\windows\SysWOW64\YTH.exe 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe File created C:\windows\SysWOW64\YTH.exe.bat 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YTH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2836 YTH.exe 2836 YTH.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2836 YTH.exe 2836 YTH.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2816 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 31 PID 2972 wrote to memory of 2816 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 31 PID 2972 wrote to memory of 2816 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 31 PID 2972 wrote to memory of 2816 2972 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 31 PID 2816 wrote to memory of 2836 2816 cmd.exe 33 PID 2816 wrote to memory of 2836 2816 cmd.exe 33 PID 2816 wrote to memory of 2836 2816 cmd.exe 33 PID 2816 wrote to memory of 2836 2816 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\YTH.exe.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\windows\SysWOW64\YTH.exeC:\windows\system32\YTH.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70B
MD575c9746cc4ea5828fe91ff2f3dd55fc8
SHA1b5ef7df9713ae0dd0ea74852a94d9c985c08494b
SHA25690f708a093c75b4c4eed2c30120e65e06fa626ad57f11dd49c846b42597d9238
SHA5123494a86c2f99d1e12cebe4d40589f75f3feb3f8c4eece70c36563303004d95169bca4c46798bc3729b72a14edde2bfc36875abb1b71231e67fa79729c8180bfa
-
Filesize
289KB
MD527c942879c2e562ee2a05590807ae26b
SHA1b72f48447790ad22721b8608dcb759fb4c5245cd
SHA2560bbdd338ed101e11714b00a23430250f73265dc2d5f06e07c2f5acc1bba37c83
SHA512a641129f34a6012679cc3ddc480afbd431af68385bdcb2b7e396f727ca5585ded9b2bff078386fe9010a6dc24bf973ff68daeca17abc609f7b90dc2d09f0ff1b