Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/08/2024, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
55ae6ad49d02908444ba196526e9bfd0N.exe
Resource
win7-20240704-en
General
-
Target
55ae6ad49d02908444ba196526e9bfd0N.exe
-
Size
53KB
-
MD5
55ae6ad49d02908444ba196526e9bfd0
-
SHA1
1289f879c187811826c39127e46ac8254bc2f705
-
SHA256
d91dcc301722692594664654a2aa3feb53c4fbdf0c10cf9f1b6790a59e982298
-
SHA512
14515c1592a3322febd312003f6bfa097b99ad40781f593274b6369b03f52caca678db49d2f0918bcc36473b3f0e1388c8452b28a8a4a135d20bc8a22fa03c58
-
SSDEEP
1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ifA:JnBGPUMQwBDamb3a7iI
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2492 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2640 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 1188 55ae6ad49d02908444ba196526e9bfd0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55ae6ad49d02908444ba196526e9bfd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2640 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 30 PID 1188 wrote to memory of 2640 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 30 PID 1188 wrote to memory of 2640 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 30 PID 1188 wrote to memory of 2640 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 30 PID 1188 wrote to memory of 2492 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 31 PID 1188 wrote to memory of 2492 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 31 PID 1188 wrote to memory of 2492 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 31 PID 1188 wrote to memory of 2492 1188 55ae6ad49d02908444ba196526e9bfd0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ae6ad49d02908444ba196526e9bfd0N.exe"C:\Users\Admin\AppData\Local\Temp\55ae6ad49d02908444ba196526e9bfd0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5b4a86880004da8726288d7ec954885a8
SHA11bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA51222758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4
-
Filesize
276B
MD50880417ff4f9404f0041785383084e0d
SHA10dfe2d0fc025e5af7ee986e6a3b050ce43fc5a05
SHA256b18ea1807ec1546cfc0da9fb9db95251bb3cf4c12f2d01bab1e8ab22e4059805
SHA512f2a794e51ebeb95532059afd1d1607afff7755ab5ef04682a27ceba59ec4c39ab9ced1e6654462ba6cc899776900e4c1320888a0349a67b35d41f270f2e9c0f9
-
Filesize
53KB
MD550048ce65981b4b5bf756e8553a358fa
SHA13f61ea5e5bcecdbf2848aafef726e84a6063c9c3
SHA2567f6b57ed37b4d8a7871fff14662cd93cb8d8b9f96688f898747f011822040709
SHA51224bd4944a0b80864242f039fb2199352f1b98320b8cfe3538add1d0ba0b244a5576566e4ede75fd730b52b971afe59e815c6b3a5ccab3de081162439492f1eed