Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
532c81a2fbc19deb15cfca62be2c7f00N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
532c81a2fbc19deb15cfca62be2c7f00N.exe
Resource
win10v2004-20240802-en
General
-
Target
532c81a2fbc19deb15cfca62be2c7f00N.exe
-
Size
511KB
-
MD5
532c81a2fbc19deb15cfca62be2c7f00
-
SHA1
d48745beb4f4d6d89fa5b20cb7dc51b79a4b3f31
-
SHA256
4832101d2927f85e490292636eea03804151bb3893b112f7326d8069ac599e6f
-
SHA512
64c87222c970b509c72d43853bcd3e826bbe2265503acc12445c9aab490fcd10f78abe3be2601ae5aaa6a20d76a9934e25ea92c2f26fb35412c6a98da0cbb984
-
SSDEEP
12288:H1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D08Jo5:H1/aGLDCM4D8ayGMb5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2044 ytdje.exe -
Loads dropped DLL 2 IoCs
pid Process 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ytdje.exe" ytdje.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 532c81a2fbc19deb15cfca62be2c7f00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytdje.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2044 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe 30 PID 1768 wrote to memory of 2044 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe 30 PID 1768 wrote to memory of 2044 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe 30 PID 1768 wrote to memory of 2044 1768 532c81a2fbc19deb15cfca62be2c7f00N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\532c81a2fbc19deb15cfca62be2c7f00N.exe"C:\Users\Admin\AppData\Local\Temp\532c81a2fbc19deb15cfca62be2c7f00N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\ProgramData\ytdje.exe"C:\ProgramData\ytdje.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
511KB
MD50da85723fee90493b7d153ecadfeaad3
SHA1e591f2b0b1a463f4c27673a3e848d6d2756f9ce4
SHA25604f641fb1e147e54388889f9b0f701c2a8abd71bfdb3d4cf4fa496ba06bcc399
SHA512e9690927167186c5e3078ebaf23b67b9c54b5e0d635d555b6d9da70238047e3bbf3e22875215dae2578ee184cf00ca7d54c16453afecd15470e36b5136dd092b
-
Filesize
255KB
MD5f351898b5ba2d709e4d73d3160071029
SHA15bddf9621650635913bea3f15cb0f7108a09079e
SHA25622972cfc5b13ea8cedef1adca83358f89fea716b3e775bd70553ed44ef04e668
SHA512c9c680f93577ca853d9db3d9b84d16a43c1986c95d3bfc4ff3bbbafaa585cf6ee6ada6da6e86cea529e817f39e4e98d78c1ad99069aa417514ef5bab735ccf88
-
Filesize
256KB
MD5bdf66f6afa5b7620acaadbc9c61432bc
SHA1b78ab12dd07c17c19a8b86140e2ce843ffaa6190
SHA2562cc151a6ef226842e192606d080a22fd1f4b9b1d6d42e6c8c83ba562ab8b4134
SHA512a7bfa1d088bab4041e5dbd369e25ddaa5731630d4adba6282e38845bd1b330becf33502750b5725cc8f184361d4810efec276bb670a3d00355190eff26799902