Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 19:56
Behavioral task
behavioral1
Sample
f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe
Resource
win10v2004-20240802-en
General
-
Target
f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe
-
Size
29KB
-
MD5
4dffbbde9513d7c5cbc433d7fe5706e0
-
SHA1
10a55ef63f6d97cce168316dd9ecad26ab19990f
-
SHA256
f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8
-
SHA512
b45222b92cbe13b7eff85d9fafda93dd93ce193ac18c0fa48f12d59c8f23427ca3f457311fcf852baf0263356c56ce820cdb6bd3d0f7746c3642ad4349368585
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9//n:AEwVs+0jNDY1qi/qXn
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral2/memory/1140-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1140-37-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1140-39-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1140-130-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1140-158-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/1140-165-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 3500 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/1140-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0007000000023418-4.dat upx behavioral2/memory/3500-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1140-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1140-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1140-39-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000900000001db58-50.dat upx behavioral2/memory/1140-130-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-131-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1140-158-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-159-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3500-161-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1140-165-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3500-166-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe File created C:\Windows\services.exe f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe File opened for modification C:\Windows\java.exe f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1140 wrote to memory of 3500 1140 f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe 82 PID 1140 wrote to memory of 3500 1140 f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe 82 PID 1140 wrote to memory of 3500 1140 f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe"C:\Users\Admin\AppData\Local\Temp\f1647f3320cec353c34fd1e3fa351a07a11b15977b21f0c19393778684caefa8N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD5e46ebc02db0544be78a0676e56a06ed6
SHA197f00c11323f65e28c01f8d8dfc698a6fa8e8773
SHA256f4182f6202ece74af5a18bbd09dd3fe0306091414631fe264b915494adb2cf8f
SHA5122286319124c01875f7a244577d52b5eae0f9f6721ccc19af8783035bd68e168fd3d930238fe7d8a642511d357cdcf10bcc0ca20d39d652e7aacc620301a7c4ef
-
Filesize
352B
MD549ec4cfca59fb02e1483d6f613bf273f
SHA133e0386afc985dd852e95749ac674e65abf5e66f
SHA256a04ab21c3173a22b16d9f308e5ffab6d700f43e0da11786bee3bf0f627b41df5
SHA512774e849c7593e9725cbe9498d5aa28df8c18ed74deab4aa7c151dfe190c8c935a9882ee10dc9ff5afdc5ae31312b7989dc977002eb4419f9be56e9fecb386a84
-
Filesize
352B
MD5c2e70d18698a0c6f995b085d50d3cd8d
SHA12e9f63a046f891e0c816b40d773662d13239c834
SHA256273abb4c5574539873bd1d0552ab837ef2cdd546cba3c4138909a852411097d0
SHA5120c2c10793f2aae2d47063dd9166bc903f4fb051a72113588e1bd2384f49561bd189d10854cf457f7718b4290353c921c0bbf645b2a352b07a22d6dfe0b511a45
-
Filesize
352B
MD5dc568eba27201589519630a82e8e43ee
SHA139ce1dc4dc14d019056c379d579b6ce34e4d17ad
SHA256ddee1b51b4f609817594f616c3b61e22f7709fc4f87026999a1cbd301478c38b
SHA51272a35a487f30d1f684bc1341fcf61aa1ebd5459962156746cbbac26c958f84faa9db1df8fc2052e93e5ce987747704bbef8e0030e8c35b681d464b4b944a404d
-
Filesize
352B
MD5f0a99e6bc2a609c9a36963ffe8400cb2
SHA1ee3e834031f960bc6c50c29455704f1ecf497192
SHA256705bb1f28a4f620aad221d06f486c56c7b685bafc4e875f2aadeb9795a11869b
SHA512a1a5586adbb7288e847d562d5d756538dce7dba1b7fbab8f807dc179d5017155cf4e374246d34d32b068bda529fd12393f7859c6bb90208e77e9e6fecb51974f
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2