Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c266a80102...0N.exe

windows7-x64

10

c266a80102...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c266a80102b18214213c40df8ae1a590N.exe

  • Size

    213KB

  • MD5

    c266a80102b18214213c40df8ae1a590

  • SHA1

    22e116c56d8003cc76ebc20c9c6208ddc39d4c2b

  • SHA256

    394815d29801462e7c64bcd3eae9aa337e44f8153e1128964132e1bf7c2e8461

  • SHA512

    1517295e31eb032f0300d4b2282d55999c5e2d287b66ce857ccb7c49481a9df7e9e93314434df50573e03df07ba943527777679ee5ecafb5a1bb217028fcecb0

  • SSDEEP

    1536:P5AiTLOQ74YDtnlN5UL09atT0mBBAragjSvIYFwAmd/oHQpNulP:P53mQ7JtnP5I09qgmBBAWgjSvwN/oHWm

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c266a80102b18214213c40df8ae1a590N.exe
    "C:\Users\Admin\AppData\Local\Temp\c266a80102b18214213c40df8ae1a590N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Program Files (x86)\7d57eb5c\jusched.exe
      "C:\Program Files (x86)\7d57eb5c\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\7d57eb5c\7d57eb5c
    Filesize

    17B

    MD5

    4d77d6b250ffb567743b8dbcdad695b8

    SHA1

    d5a8f98f9433f6d36c74df463cef3e2cf524462d

    SHA256

    7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

    SHA512

    5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

    Download Submit

  • C:\Program Files (x86)\7d57eb5c\jusched.exe
    Filesize

    213KB

    MD5

    de8a6181fa7ed0e41408ea30f3e494c2

    SHA1

    b8f0cced68ad999e8ca2aeb4925159c55d90ae5d

    SHA256

    9d0438fe735cc2e14a4498fbe53b0bf95b64c8c3b53a48b8d43db77c2d5228af

    SHA512

    b19125fcf8754b86e381fc11eca1c4debdc091fe6bc7fe50bd1f7f11b001045c5ee3ff293a147c68fb4048df1051968c0ace4f0b2a102c6a07920bad68e056d6

    Download Submit

  • memory/3284-13-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3284-17-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/4880-0-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/4880-15-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download