Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5b8e4397bb...1N.exe

windows7-x64

7

5b8e4397bb...1N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b8e4397bb3a785f3dcf115515a50ef6324d2bca74baced3e0ae4ef85295eb11N.exe

  • Size

    410KB

  • MD5

    0decb70b94cb40f4a54a05f701f82420

  • SHA1

    cbedb69f4d14e2c90cdc3b1e0d16648384db3a3a

  • SHA256

    5b8e4397bb3a785f3dcf115515a50ef6324d2bca74baced3e0ae4ef85295eb11

  • SHA512

    14faeff2bc0208a2f77ce858ba11f00d7253135f2e4b73c14f8da2c6741273c0a735b5ef39b1b8b0650e9fcf903fad19378736da41d1a409351db8aaffe0a708

  • SSDEEP

    6144:6BxIK3CTW8TMjp41u6nyHwnZTvFC/0qAcWiujK21ZyOQUztIIHHg1kAuZBLtOus:CxIK9V14ImyHYTvFmwTmqztIkHSkZt4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b8e4397bb3a785f3dcf115515a50ef6324d2bca74baced3e0ae4ef85295eb11N.exe
    "C:\Users\Admin\AppData\Local\Temp\5b8e4397bb3a785f3dcf115515a50ef6324d2bca74baced3e0ae4ef85295eb11N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\ProgramData\gnpcup.exe
      "C:\ProgramData\gnpcup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings .exe
    Filesize

    410KB

    MD5

    0890bb6bda20569718558c1fbcc26e57

    SHA1

    b86ec42b224768221f4b1cb57fb3322981735cd0

    SHA256

    965f99c2162c0225ff3035ec4ac8251f3e339aa485844ec4b819d297fe58ff51

    SHA512

    6911ac29894ba0abe3dfdf508b886489a7605d9697a157b2c3b14b5f1a6b3bf0581ba82acbdf0c000000665c6f7d2e2eff8c1fc98264564ea356e993c17ee253

    Download Submit

  • C:\ProgramData\Saaaalamm\Mira.h
    Filesize

    150KB

    MD5

    aef10b9ba25f907727558514f2dfbab0

    SHA1

    d67383ef1b23d4da72339d66de9541c2e1efaf53

    SHA256

    f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

    SHA512

    5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

    Download Submit

  • C:\ProgramData\gnpcup.exe
    Filesize

    259KB

    MD5

    6bae06dd45e85bee5764debdeecdc596

    SHA1

    81f2a8abe8b3ec469b2396fd41c0f6bdddaa75a6

    SHA256

    643c449f8a0a8d8613cf2ca7c934cc33e0c998f33ce893b572053ecbbaf8307d

    SHA512

    91418ef8072c017485ce27b3d602ed06498033e7a116da600fd923fa85f6c58bd6b3caa4e84818615e6cf2d3d4c5b1c987425455126dd6cf3a59654086000bd7

    Download Submit

  • memory/1696-130-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3728-0-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3728-1-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3728-9-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download