Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 07:21

General

  • Target

    9f273f59ffaf82c65485ac3ea2108b50N.exe

  • Size

    1.0MB

  • MD5

    9f273f59ffaf82c65485ac3ea2108b50

  • SHA1

    459756f0bf0f5fd1008e074439b8faa4114b17a1

  • SHA256

    4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6

  • SHA512

    128b15cc0853a0f2a9ef4e97d35d1522674608206a66fc51e17486c2ce489243385059d8aa99bbcaca921826736638c3d76facd97d1a94effc5e46c68ad8b84f

  • SSDEEP

    12288:M8kxNhOZElO5kkWjhD4AyCGtAtScw3qEKZGtAtScw3qEKBYGtAtScw3qEK:jqEkfFa1456145v145

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe
    "C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Program Files\YPVK.EXE
      "C:\Program Files\YPVK.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\YPVK.EXE

    Filesize

    1.0MB

    MD5

    d5159bb7ac9308ce52dbe386ac7ef4ab

    SHA1

    0f8b6549532aa79c02c8369327f03f445bff5c08

    SHA256

    a60b40b16a8279ced256cab6bb772a822de1b38d2bd07d1cba7f78f84a33b41c

    SHA512

    149198bfdaf5fa7b070d12150689db745a0a46d139941715e393b5c0fdd8761dff869fd50591723caf141e8b61f9f88ee8c90ff8623e20106b9bcf620c000079

  • C:\Windows\FBYTEJ.EXE

    Filesize

    1.0MB

    MD5

    c60e43e1444972c4371f5f054d68ab76

    SHA1

    07176849afb35a8f797d4c7e18d2322697396990

    SHA256

    52d715ce6e7736ce165ec88bffc659739afd3a9cd779de6ca72f1f1b0d7c2cc0

    SHA512

    193454b0c5efd089bb2c496ca6409c96decd3d5938acb4a008f28e58cd72fc00f3d018bb92724e18eb95637ae971f91d167a24ee299b5012d20e06c3caa3433e

  • \??\c:\filedebug

    Filesize

    254B

    MD5

    aade3641af5db8c041289386db2f5aca

    SHA1

    85b06788952a8923f90cab1b56ddddcb77674487

    SHA256

    325d6c8375cde875113e4ef6802e1b8becb0d9d6c87d72fe7b9d3208c9800fc2

    SHA512

    8538c20bb4224902d480577e37ccd03d1a4192592c4b6a1bceac908de21899e7049c8b1a233db98c0fb83082dd8e81930e4c2c4a9975c5d5a8ea9ece932e76e3

  • memory/3784-23-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

  • memory/3784-28-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/3784-29-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

  • memory/4852-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4852-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

  • memory/4852-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB