Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Resource
win10v2004-20240802-en
General
-
Target
ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
-
Size
446KB
-
MD5
0d47d733753cbcc7117f987d860d0232
-
SHA1
72c7a1c30d33a32a849b43030f82e2743d1b0d76
-
SHA256
ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1
-
SHA512
324c67156bdf3d1d1892075552b7a5c6519f3c714d4bc41f18c72b47b69ca4b17a74580005f772e9bc3c380ec1f3228e2150b6772eab16eb62c0cc41be9295e0
-
SSDEEP
12288:sQ3wmKKS7E/iWaYBD5SwWZCLc39cHX3VLcR:sewho6WaYBekaaHBk
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 2796 yx_zusen.exe 1528 yz_pane.exe 1984 yz_pane.exe 1776 yz_pane.exe -
Loads dropped DLL 9 IoCs
pid Process 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 2796 yx_zusen.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 yz_pane.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yx_zusen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yz_pane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yz_pane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yz_pane.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016591-7.dat nsis_installer_1 behavioral1/files/0x0009000000016591-7.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main yz_pane.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 2796 yx_zusen.exe 2796 yx_zusen.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe 1984 yz_pane.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1528 yz_pane.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1776 yz_pane.exe 1776 yz_pane.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2512 wrote to memory of 2796 2512 ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe 32 PID 2796 wrote to memory of 1528 2796 yx_zusen.exe 34 PID 2796 wrote to memory of 1528 2796 yx_zusen.exe 34 PID 2796 wrote to memory of 1528 2796 yx_zusen.exe 34 PID 2796 wrote to memory of 1528 2796 yx_zusen.exe 34 PID 2796 wrote to memory of 1776 2796 yx_zusen.exe 35 PID 2796 wrote to memory of 1776 2796 yx_zusen.exe 35 PID 2796 wrote to memory of 1776 2796 yx_zusen.exe 35 PID 2796 wrote to memory of 1776 2796 yx_zusen.exe 35 PID 2796 wrote to memory of 1984 2796 yx_zusen.exe 36 PID 2796 wrote to memory of 1984 2796 yx_zusen.exe 36 PID 2796 wrote to memory of 1984 2796 yx_zusen.exe 36 PID 2796 wrote to memory of 1984 2796 yx_zusen.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe"C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe"C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe"C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /ShowDeskTop3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1528
-
-
C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe"C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /autorun /setuprun3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe"C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /setupsucc3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD5f5fce043a266908ebf0503a96604dea6
SHA19d548adbe2b4e8f5d2c2e061acb176cb5a8d40f2
SHA2561bd93454d32e64b6fbe7d90bce055c8ca968c31de0bca47b6a30992b8ed5a6f0
SHA512b59b4aca200bfd3219ba99617560f18a132a4653c8cae47f6f672fdc629efe66e404e2b3b2e0be7cc642cef658d20021255d0f77121a67c9d919b37e6548e3b6
-
Filesize
864B
MD5aaba6bc7239f0e36d25d60e8d5b6470b
SHA1b7e4eafe54e84829050890894a8eb48462c92241
SHA25688e0ad0aed3b3f1a85d0c10047a61424b4720400db132259dd2c7d727c896186
SHA512c392d3f004e7cdee3e5f305d52e52fb1e6da312d7f64725be452e5b503ad700455a6d6d5a9fb035282bd6398c2d785c5632a5ac95ad5a3e0239ad1ddd3848822
-
Filesize
413B
MD5adce9104fbd32e0d42d2aad5ec769f70
SHA1cb273e5cf0e394636772aef9724dce85c3701d0e
SHA2569036512b2c85bf25907548da5a8176809757284da8016025a86a522d1bad729c
SHA512437118308a907c6a3979b7fd87e60d8924a7760cdff74505da2e9ac46f0583d8e467c627d572270fb837cbb6aa14c13c6f5636e095393b66821728fd23f015d5
-
Filesize
457B
MD5b4678159c66c0c535bfd2354aac7a9fe
SHA140e359d86ac647523009e47ec0aea83f15bac35d
SHA256506cca890c0928b4d3c1814fd71c6913c63566a9efde1a101101b0c350148276
SHA512bf703078d30e78f643dd8f3ff1c19c9f9bdb105583d9afc3e65ed05b3ed634ce86516255f3b5e34c320f37d38f45968a69a3d49a995c83284bdbb90cac4eb485
-
Filesize
652B
MD5716cda23043b3e99110fcb5cfed7f0da
SHA1c581cb80ea1b494c2ac8b68eacafee22588607cc
SHA2564904398924352da8c917dc0fbe3bb63a5040a0dd7fb45721a6f0f55c753c2842
SHA512ce3b5d0833cdbf5c6763cfd784582e890d9d9229900abcbf181b0f0576aaffaf3063e3d61a0eaf768ba81af2f29f2f3666514b371f98726583d4cf3b3925f090
-
Filesize
394B
MD599b9b9a6474ed3612feec822be2fcc15
SHA1c50194edb2c24ee53f6ed64fd9e52abe3f5cbdbb
SHA256228e12d5bbeead171ecfc58adb09143555c108a2ee5470d57c26d2e0b06fd73f
SHA512aef16ec0631176e8fe8dc6707effc2046f3432ee33e1451ba706fb6830d85211207de054a589fdf491ce3ea5e397891594234cd35fb23d32c861f6701db9aab3
-
Filesize
413B
MD57c61dbf31b865fd7fec942c550d3334a
SHA17ce75f5d61c2461950465247d73236aad148d7cb
SHA2563ee29651f5d688d9b76f8f647a440811c3b9386c3d1a9433851b3fb0e76bdb23
SHA5123cf9d30df3bd07d502741720fa46e0ab857f710cf316e0e8acb3704cf1317fe8680fb90eccd2c66d7f4e1255cd4340e14308cdbdb16b78f5af5eeffb891a5218
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
893KB
MD5fa5a0cc225ac34d5e0f5cbbaac6bd4cc
SHA1ce88a67a1c17325c7e82ec4815e023e9472662b0
SHA256b37e364e03ecfc2fb5160431a575cb2f9d150da520ea1c917c2afc4b85548a61
SHA512afad524600bf6f4c0c2dd64c38f01e7b72c94ae4a5fe93c6a8b6f02477542797fb5f82b3c03db5f56e0d1d9ff9adea48aeacf5935954a7242a5246107f5ad61b