Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
Resource
win10v2004-20240802-en
General
-
Target
033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe
-
Size
2.7MB
-
MD5
9d638301c6a769cfc219502133716375
-
SHA1
468ed0ec527abaa3700341c911fed6ea09494ebd
-
SHA256
033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763
-
SHA512
be5f3d5e55369680a2c14ce7587c81e014b4af8b57d6c90fb70dcfb4e097da87c14801010f393f768978889c8f42a68bb882ac95e6bdb74a9777390fa8ff7dd9
-
SSDEEP
49152:C9Qz4VE+Y7rbEpPxZ0Qc9rXMzAb/xSGTvgR3AXijUrGPbQPeGSsOYR1wFn4:MQEVRbZ09r8zm/xhgR3AXijrEPL9R1x
Malware Config
Signatures
-
Detect Socks5Systemz Payload 3 IoCs
resource yara_rule behavioral2/memory/3928-59-0x0000000000930000-0x00000000009D2000-memory.dmp family_socks5systemz behavioral2/memory/3928-82-0x0000000000930000-0x00000000009D2000-memory.dmp family_socks5systemz behavioral2/memory/3928-83-0x0000000000930000-0x00000000009D2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp 3928 videoconverterbeta32.exe -
Loads dropped DLL 1 IoCs
pid Process 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language videoconverterbeta32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1788 wrote to memory of 2500 1788 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe 85 PID 1788 wrote to memory of 2500 1788 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe 85 PID 1788 wrote to memory of 2500 1788 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe 85 PID 2500 wrote to memory of 3928 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp 88 PID 2500 wrote to memory of 3928 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp 88 PID 2500 wrote to memory of 3928 2500 033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe"C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp"C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp" /SL5="$60236,2606622,56832,C:\Users\Admin\AppData\Local\Temp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Video Converter Beta\videoconverterbeta32.exe"C:\Users\Admin\AppData\Local\Video Converter Beta\videoconverterbeta32.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-QG14J.tmp\033edd4c5eebe907d0c071e846080d72eafd8d047a59be3c898ecd926f8f5763.tmp
Filesize690KB
MD545146253707d5e78e04106da4c1563a0
SHA127e5d7ab37dfa04e45d7e7b0ea2824c99559a952
SHA2562799a35d19ea8b0ca8e47a1f02d801e705cab1401777fd7446ca0094425c79e6
SHA5122d9c02fbc9c1ba4d2bf7a8b214b32367a22fb0bc7c72e6bf341c37ef4f3e24dcdf62dc2bb7162c442de1267329814e7c8e941a81611a36659bdc8dcfe769be76
-
Filesize
2.6MB
MD51fc9a549c692b6ad8fa2ba575f5c52c7
SHA1031dce10ca29752d5d92f579c8b8c6804ce7eedf
SHA256a6330510d8dd6f080dbae700ee4f9ae2d0fb47c80d1780f3905739a97f405479
SHA512d3330256682298c464d15fe7aa3360c36d752e9e5f939a716608ebc945c48db2ba397622bd6a8e9463ed17ccd67fa8b43281e4531a4651187d45223031a6a91f