Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 19:56

General

  • Target

    f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe

  • Size

    29KB

  • MD5

    4dffbbde9513d7c5cbc433d7fe5706e0

  • SHA1

    10a55ef63f6d97cce168316dd9ecad26ab19990f

  • SHA256

    f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8

  • SHA512

    b45222b92cbe13b7eff85d9fafda93dd93ce193ac18c0fa48f12d59c8f23427ca3f457311fcf852baf0263356c56ce820cdb6bd3d0f7746c3642ad4349368585

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9//n:AEwVs+0jNDY1qi/qXn

Malware Config

Signatures

  • Detects MyDoom family 6 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe
    "C:\Users\Admin\AppData\Local\Temp\f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N27JXEQ0\search[1].htm

    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Temp\tmpAF8C.tmp

    Filesize

    29KB

    MD5

    e46ebc02db0544be78a0676e56a06ed6

    SHA1

    97f00c11323f65e28c01f8d8dfc698a6fa8e8773

    SHA256

    f4182f6202ece74af5a18bbd09dd3fe0306091414631fe264b915494adb2cf8f

    SHA512

    2286319124c01875f7a244577d52b5eae0f9f6721ccc19af8783035bd68e168fd3d930238fe7d8a642511d357cdcf10bcc0ca20d39d652e7aacc620301a7c4ef

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    49ec4cfca59fb02e1483d6f613bf273f

    SHA1

    33e0386afc985dd852e95749ac674e65abf5e66f

    SHA256

    a04ab21c3173a22b16d9f308e5ffab6d700f43e0da11786bee3bf0f627b41df5

    SHA512

    774e849c7593e9725cbe9498d5aa28df8c18ed74deab4aa7c151dfe190c8c935a9882ee10dc9ff5afdc5ae31312b7989dc977002eb4419f9be56e9fecb386a84

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    c2e70d18698a0c6f995b085d50d3cd8d

    SHA1

    2e9f63a046f891e0c816b40d773662d13239c834

    SHA256

    273abb4c5574539873bd1d0552ab837ef2cdd546cba3c4138909a852411097d0

    SHA512

    0c2c10793f2aae2d47063dd9166bc903f4fb051a72113588e1bd2384f49561bd189d10854cf457f7718b4290353c921c0bbf645b2a352b07a22d6dfe0b511a45

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    dc568eba27201589519630a82e8e43ee

    SHA1

    39ce1dc4dc14d019056c379d579b6ce34e4d17ad

    SHA256

    ddee1b51b4f609817594f616c3b61e22f7709fc4f87026999a1cbd301478c38b

    SHA512

    72a35a487f30d1f684bc1341fcf61aa1ebd5459962156746cbbac26c958f84faa9db1df8fc2052e93e5ce987747704bbef8e0030e8c35b681d464b4b944a404d

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    f0a99e6bc2a609c9a36963ffe8400cb2

    SHA1

    ee3e834031f960bc6c50c29455704f1ecf497192

    SHA256

    705bb1f28a4f620aad221d06f486c56c7b685bafc4e875f2aadeb9795a11869b

    SHA512

    a1a5586adbb7288e847d562d5d756538dce7dba1b7fbab8f807dc179d5017155cf4e374246d34d32b068bda529fd12393f7859c6bb90208e77e9e6fecb51974f

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/1140-165-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-158-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-130-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-13-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-37-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-0-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/1140-39-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/3500-38-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-40-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-33-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-28-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-131-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-26-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-21-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-159-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-161-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-15-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-166-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-16-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3500-5-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB