Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
Resource
win7-20240708-en
General
-
Target
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
-
Size
329KB
-
MD5
373823c3f20c185c50bc7abd35345bd0
-
SHA1
b9bf4195521f9cd012af3773bf5cdb9ac98fac75
-
SHA256
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7
-
SHA512
746b6e9266a4f7b8c2ff08ccb71a9a3ec65de365a91c07d49b6f14db1ac40acd8886624d42239bb21b077939d51442c4c7a374a64cced51db6c9cb268c7480c8
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVP:vHW138/iXWlK885rKlGSekcj66ciEP
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
pid Process 3032 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2396 rorea.exe 2940 secyd.exe -
Loads dropped DLL 2 IoCs
pid Process 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 2396 rorea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language secyd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rorea.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe 2940 secyd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2396 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 30 PID 1992 wrote to memory of 2396 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 30 PID 1992 wrote to memory of 2396 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 30 PID 1992 wrote to memory of 2396 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 30 PID 1992 wrote to memory of 3032 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 31 PID 1992 wrote to memory of 3032 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 31 PID 1992 wrote to memory of 3032 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 31 PID 1992 wrote to memory of 3032 1992 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 31 PID 2396 wrote to memory of 2940 2396 rorea.exe 34 PID 2396 wrote to memory of 2940 2396 rorea.exe 34 PID 2396 wrote to memory of 2940 2396 rorea.exe 34 PID 2396 wrote to memory of 2940 2396 rorea.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\rorea.exe"C:\Users\Admin\AppData\Local\Temp\rorea.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\secyd.exe"C:\Users\Admin\AppData\Local\Temp\secyd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD516345585560837b3f96911125dc68a5a
SHA1c4168f87ff5f1acd63b1feace8736cd358a838c0
SHA2568b2a808965b4f50f7a138e9cf41c4ae5fbeb7d2a704c312bc2fec6ffa8fafbe7
SHA51267fb0fd89fd02afd31137ebe98642b3bd5d04ede03427b3f374f2b7bd63c580c4b2dc78eebaccbd3ff3eac934be9d19b5cb00b4cd526a82ee97b884215c12118
-
Filesize
512B
MD5e56a75927aa4fd27807f9a72605cd9ef
SHA184243d79f484f8d6318e7ab8a2949b72ee2e8782
SHA2566ddc9244c8566cb9153b73a12a30d7e7963b0eada3c8a20926b6d7ec5302231d
SHA51299190cfe9e4cb888b5bfdb42dd8a2ad53ed22d1d4baba2e01a14ee76393e5c3cccd7bceac51954294611597a56a2926e1ab208ff996e1a76024c5d8ba50d1bbc
-
Filesize
172KB
MD502b7ebc56c07fc1cb5bf57235894f90a
SHA1cdcc5bd631a500158a7350134295c06bec1c8761
SHA2564fbe767c383f12bd941cfa9caf4dfa57bd18c3a2d6a2f63413ba3e345b034f2e
SHA512f64b0a18af90e2bc70c51d5c162d9f527d559e277dd0a3841bdd6289ba5392c00f27de6b869e121dbf94f7fa141849a2d232975e6e5ea96a530fc6d8b54483c8
-
Filesize
329KB
MD5c1fa4213f483cc81e820044d584a36dd
SHA1f74a13f22554356276e28a4030ccb14255880652
SHA256219a4022916c5dbb5403f4b2e8e226fe2b0c5ca25653aad45ef94b65adec2413
SHA512cb603964ec8799f4161befab745b50abd6ef314d3e0b67c601f753c877bf78e1884b434be41bcb0be1888d1073b416a76bdd52096398ee73770cc96488e713b9