Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 18:32
Behavioral task
behavioral1
Sample
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
Resource
win7-20240903-en
General
-
Target
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
-
Size
578KB
-
MD5
b52088e450ef03ff18b089f2638e54a0
-
SHA1
98c65f8876cd9c0065cf8ca2d0305d16d265e4ea
-
SHA256
9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610
-
SHA512
43312e853b0c6c721ec0bb7aa5ec4a6c3dbf1506a4e413209e4828bf30e23f3ba618dd27d94bcff52cc2aa33f933004e5b4ce6bd174961f6c95cfa5225aff53f
-
SSDEEP
6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcBbmKm:XDDGdDbEh/a3tKj
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools vxdserv.exe -
Executes dropped EXE 1 IoCs
pid Process 628 vxdserv.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\vxdserv.exe 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe File opened for modification C:\Windows\SysWOW64\vxdserv.exe 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe File created C:\Windows\SysWOW64\vxdserv.exe vxdserv.exe -
resource yara_rule behavioral2/memory/2996-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/files/0x0008000000023431-6.dat upx behavioral2/memory/2996-8-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/628-9-0x0000000000400000-0x0000000000448000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxdserv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 628 vxdserv.exe 628 vxdserv.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 628 vxdserv.exe 628 vxdserv.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 628 vxdserv.exe 628 vxdserv.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe 628 vxdserv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2996 wrote to memory of 628 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 82 PID 2996 wrote to memory of 628 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 82 PID 2996 wrote to memory of 628 2996 9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"1⤵
- Looks for VMWare Tools registry key
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\vxdserv.exeC:\Windows\system32\vxdserv.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD51b122ad1d6ec5945bdaa8eb0e150db23
SHA1286626f846173a94357bf7362e920db2154c6c99
SHA25654f5274317090538d447fb2c6fc82a8183d3851d8d8bf8404b42a5da349215f5
SHA512ed9a631841dda5221ef0a8005219b6d58e0bd2a3e41cb7cb37bf3a0cdcb83939ce9fb0a3af1dd8e7c16cf06187786c2f1f123ff9d7e201d16e39cce8d05727e0