Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
49f5368f5d533b0a9422926bf93e4e30N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
49f5368f5d533b0a9422926bf93e4e30N.exe
Resource
win10v2004-20240802-en
General
-
Target
49f5368f5d533b0a9422926bf93e4e30N.exe
-
Size
245KB
-
MD5
49f5368f5d533b0a9422926bf93e4e30
-
SHA1
aa8b781c935ebcefbd8dcea8e2faa7e5ecca0078
-
SHA256
23631f91ff110875307a093809cbfb0813fd461b37c0fadbf9bbe8fc4c7446bd
-
SHA512
5014488c6b77c4bc594fba78da5ce5fd1807ef34fb842e448b9f214646a31ff3308c1a6f653ed70986f1aeca666e973a262149b1a9fe077a8166f7ecf7e643f7
-
SSDEEP
3072:JVHgCc4xGvbwcU9KQ2BBAHmaPxzVoTb5Ecvi5PZGIFBj:MCc4xGxWKQ2BonxfPDPj
Malware Config
Extracted
Protocol: ftp- Host:
ftp.byethost12.com - Port:
21 - Username:
b12_8082975 - Password:
951753zx
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3008 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 536 49f5368f5d533b0a9422926bf93e4e30N.exe 536 49f5368f5d533b0a9422926bf93e4e30N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\bda0f93c\jusched.exe 49f5368f5d533b0a9422926bf93e4e30N.exe File created C:\Program Files (x86)\bda0f93c\bda0f93c 49f5368f5d533b0a9422926bf93e4e30N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job 49f5368f5d533b0a9422926bf93e4e30N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49f5368f5d533b0a9422926bf93e4e30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 536 wrote to memory of 3008 536 49f5368f5d533b0a9422926bf93e4e30N.exe 31 PID 536 wrote to memory of 3008 536 49f5368f5d533b0a9422926bf93e4e30N.exe 31 PID 536 wrote to memory of 3008 536 49f5368f5d533b0a9422926bf93e4e30N.exe 31 PID 536 wrote to memory of 3008 536 49f5368f5d533b0a9422926bf93e4e30N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f5368f5d533b0a9422926bf93e4e30N.exe"C:\Users\Admin\AppData\Local\Temp\49f5368f5d533b0a9422926bf93e4e30N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files (x86)\bda0f93c\jusched.exe"C:\Program Files (x86)\bda0f93c\jusched.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5134c1d489094d6d3399f65b0e9aebc1f
SHA1612a57fbe6ed3ab9c15b39451171d813314a28d5
SHA25654f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781
SHA512b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed
-
Filesize
245KB
MD5fa6c423bec33a2fdba76b89a7c171544
SHA1d9cdcc7fe90c20707783d43a3d03148c4b091843
SHA256a3e0a7b2712f54132c03e82f0782cf353a316dba2eeb1616e71d00cb4c1e4082
SHA5122f5da3c5f4063b3c9ca9935889322e9e337b8e2362d386a13f4238de33c1a0d6429bc09d8cd045e4eb8c016f01e0f7fce9fa6bc89fe11c7581da83024677b2dd