Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 08:40
Behavioral task
behavioral1
Sample
8465bd48729dd7390abc0c3f95e172a0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8465bd48729dd7390abc0c3f95e172a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8465bd48729dd7390abc0c3f95e172a0N.exe
-
Size
29KB
-
MD5
8465bd48729dd7390abc0c3f95e172a0
-
SHA1
a9a3f09d5c89046ccb8aa87e4d431dca6ac0477f
-
SHA256
a42c3112c56e30bf848c16b7b134f4cff456e4106058f33e607f70f80f781593
-
SHA512
b819b0e388378bb28b993ca97a43112c4c594662b5ab1ae8719d2d2ae2ee36b10a76c160c7ba9f7206258d1135046e9e1d091ed34f7925b5ee8a290edf1a2c30
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/M:AEwVs+0jNDY1qi/qU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1352 services.exe -
resource yara_rule behavioral2/memory/2880-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0008000000023422-4.dat upx behavioral2/memory/1352-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1352-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1352-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1352-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-35-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000a00000002342d-49.dat upx behavioral2/memory/2880-148-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-149-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-175-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-176-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1352-181-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-182-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-183-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2880-208-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1352-209-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 8465bd48729dd7390abc0c3f95e172a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 8465bd48729dd7390abc0c3f95e172a0N.exe File opened for modification C:\Windows\java.exe 8465bd48729dd7390abc0c3f95e172a0N.exe File created C:\Windows\java.exe 8465bd48729dd7390abc0c3f95e172a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8465bd48729dd7390abc0c3f95e172a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1352 2880 8465bd48729dd7390abc0c3f95e172a0N.exe 83 PID 2880 wrote to memory of 1352 2880 8465bd48729dd7390abc0c3f95e172a0N.exe 83 PID 2880 wrote to memory of 1352 2880 8465bd48729dd7390abc0c3f95e172a0N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe"C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313B
MD5ffb72ab4faba49ad441ce07db37dd8b6
SHA1194e13c1c32ebb6e7a1dc912261cbd58a82ff71e
SHA2567bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660
SHA512517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD595dc790d65e45d626d21806369b49289
SHA11d33c5054a7717ea96c6017cc43c64567e219ab5
SHA256a05abe06d4805f2dd7a3f4a7525af61facd370f804f7ea7e6f635b36d50467b3
SHA5122686df3867fcdd43b5841ece6288a19caf0bc0a00299b5ce0dc0ab097cb6b4255661289521cdd9aa8fbad12ad3069e056c36d20b8e8ab0a4b59a589e059b09a4
-
Filesize
352B
MD5fdac804eac1622bca09925891e283324
SHA1e0160d0ea5e1bab38c6e526c5354b06f57df3654
SHA25648c221a0f5c094a9d823b919bff10e88bb230aa7a56f242620a77a1331984313
SHA512c6e0190687d2226c0a63d7e94f016fc5af22250fda8b0c3000689aa19ed873c7f6b961fa93d6abf6058a1ecc92bf19e85786db2bfc4102b9041f47e704f2c30f
-
Filesize
352B
MD57f8e46370e3b82f85a51fa3a70220787
SHA1a2ffd1a89c8ce3a6628d194d1a526568052ec965
SHA25600ea6c86b80bb7724b20f37f1b15aa1f7cf24b860ec269d76707eb42830744dd
SHA512342d290db0c94be9d9829655a29bda5a62b35b7d732768224e365c8f0ddd3751338eb0d9a3464c7c188610462bedbe44dd7e6283c9395a21194839d457d1fee2
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2