Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
31e737a4914...0N.exe
windows7-x64
71e737a4914...0N.exe
windows10-2004-x64
7$PLUGINSDIR/FGet.exe
windows7-x64
3$PLUGINSDIR/FGet.exe
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDIR/pwgen.dll
windows7-x64
3$PLUGINSDIR/pwgen.dll
windows10-2004-x64
3$PLUGINSDI...de.dll
windows7-x64
3$PLUGINSDI...de.dll
windows10-2004-x64
3$PLUGINSDIR/xml.dll
windows7-x64
3$PLUGINSDIR/xml.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
1e737a49148aed5080271296c44018b0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1e737a49148aed5080271296c44018b0N.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FGet.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FGet.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/linker.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/linker.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/pwgen.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/pwgen.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/unicode.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/unicode.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/xml.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/xml.dll
Resource
win10v2004-20240802-en
General
-
Target
1e737a49148aed5080271296c44018b0N.exe
-
Size
239KB
-
MD5
1e737a49148aed5080271296c44018b0
-
SHA1
4b7a35e72e8e9334fac287770f7b8c90cb5b7003
-
SHA256
1b80d636fb9204b3974d0d9ed88f1e342a1ad198b0f1caf4e37e25198b126d2f
-
SHA512
cf89a40d62d6dfacd1a85cebe296320e8f0daf15eaa15293e811257433f3f6dcbd1751128beea26a50cfcb13eac13c8157eba6fd37bbecb40e53c3cc7c27399a
-
SSDEEP
6144:LZ+11mDid7De9NVS22E+bKN2ja89j2By98H/:9uZa9NcEJNp8F2ByiH/
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4500 FGet.exe 3184 FGet.exe 1208 FGet.exe -
Loads dropped DLL 7 IoCs
pid Process 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe 264 1e737a49148aed5080271296c44018b0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e737a49148aed5080271296c44018b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGet.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 264 wrote to memory of 4500 264 1e737a49148aed5080271296c44018b0N.exe 82 PID 264 wrote to memory of 4500 264 1e737a49148aed5080271296c44018b0N.exe 82 PID 264 wrote to memory of 4500 264 1e737a49148aed5080271296c44018b0N.exe 82 PID 264 wrote to memory of 3184 264 1e737a49148aed5080271296c44018b0N.exe 89 PID 264 wrote to memory of 3184 264 1e737a49148aed5080271296c44018b0N.exe 89 PID 264 wrote to memory of 3184 264 1e737a49148aed5080271296c44018b0N.exe 89 PID 264 wrote to memory of 1208 264 1e737a49148aed5080271296c44018b0N.exe 92 PID 264 wrote to memory of 1208 264 1e737a49148aed5080271296c44018b0N.exe 92 PID 264 wrote to memory of 1208 264 1e737a49148aed5080271296c44018b0N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e737a49148aed5080271296c44018b0N.exe"C:\Users\Admin\AppData\Local\Temp\1e737a49148aed5080271296c44018b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exeC:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.windows7screensavers.com/installer_writelog.php?Initial|Puid=lDYhd66aGDk1ebPt|userSABBREVCTRYNAME=USA|originalsite=ezthemes|BuildNbr=lDYhd66aGDk1ebPt|File=1e737a49148aed5080271296c44018b0N.zip|Revision=20130606_dlQUE|is64B=Y C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\S_1e737a49148aed5080271296c44018b0N.zip.ini /q /r2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exeC:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.ezthemes.com/installer_writelog.php?Initial|Puid=lDYhd66aGDk1ebPt|userSABBREVCTRYNAME=USA|originalsite=ezthemes|BuildNbr=lDYhd66aGDk1ebPt|File=1e737a49148aed5080271296c44018b0N.zip|Revision=20130606_dlQUE|is64B=Y C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\S_1e737a49148aed5080271296c44018b0N.zip.ini /q /r2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exeC:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.themexp.org/country_err.php?A|ezthemes.com||USA C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\E_1e737a49148aed5080271296c44018b0N.zip.ini /q /r2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5aee371b287d879be8e0e861fb380b1f7
SHA1265d7bba1a96decafde9d0946d0b8f46f70990b1
SHA256798add076e955c92841dd403ababac33e6bd86d85cab93816a16d1b5e5925573
SHA512fb6042b5c09768945760da537f2710f05966765a6b7400737ec4ac4b48e241a2e06c6b7e7f20db361265e81beac18500b690534a6c6a4d0b2027093ab9b47814
-
Filesize
2KB
MD5e53fdf76753edcd8773ab17ae968bfd6
SHA14bea38cd83442080bdf51cd1db206715f9198955
SHA2563d70ce95eb1eb78620cc57fe1a6a479e6f2d70508bf813238e573863df000d6e
SHA512f168878f0d1047ce3775a511ee5cffed3afc7a47081304b4c884b6099dace99a17e473b727f5afcc87b0e0c1df461439f821b2dbcf341f94b9c206e8487c7888
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
7KB
MD587e059eb1c6893d2d140fe4a78998afa
SHA1d1258e30c873323d6d82e1fa7382ee784026522a
SHA2560817f18dc700acc341aaff9fd44a749ecdd71ac252a9f5b86a06265fc047b313
SHA512f490fae0b7853e5b0a76e61c7804781215673fe5730866ac90872f5a6f4cbf67256ce7cd3b5bc1f62d103fab373d4cece6fc143a2716936f44a04f798343b935
-
Filesize
7KB
MD58b1a528ab4dbb024442b42d7a0fedead
SHA195d45da81fe6d595147c18dfbd8e63915825c16a
SHA25675db16ea26ec8c6e728f4a99b737c8b3a6548b4c6b47fbe20286683df4745574
SHA5129ed39f5a657dfcd04f3d9ec5592a826e9120128056ca17495b267355452cffd247d35a051edb810fd7647bbbcbea30844a426ea18c5bfdabedc792a172aa4d97
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
16KB
MD5a555472395178ac8c733d90928e05017
SHA1f44b192d66473f01a6540aaec4b6c9ac4c611d35
SHA25682ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e
SHA512e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a
-
Filesize
2KB
MD55d46dd89b53379f0c5b460d3de63f0ab
SHA1f83a3a531b63f26f856cf7d85ecb7d61e30e64d0
SHA25646b1f8824f6aa1227416ecb692a31f70af880c4ae6e60fa23fc2f3e59a5d5373
SHA512f9c9157191cb9d9a41c6d1ffc4e61d119c0c6264395f9e1a05edbff1a3335987eb71bd14ceb9506a579d8fafdf81645ff82316506ef63f0bffa42e7865bbb829