Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe
Resource
win10v2004-20240802-en
General
-
Target
f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe
-
Size
1.8MB
-
MD5
2f91a52ce172b10c730387788b06358d
-
SHA1
e22f66c120f19156cd143b35b565ad5956ae6013
-
SHA256
f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2
-
SHA512
0bd96b3af646bbec0429a6747b96fa6e28f66477b0a7c40af4a7f2ecdc7ccac5681ca3300cb10d7e66cb62a3a3fd88b963660388a262868b38f30acace5e2eca
-
SSDEEP
24576:04nXubIQGyxbPV0db26WoJVEuvsv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO:0qe3f6S9SffPMWrQ0Zk
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 3088 7za.exe 1968 bin.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe -
Kills process with taskkill 1 IoCs
pid Process 548 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1844 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 1968 bin.exe 1968 bin.exe 1968 bin.exe 1968 bin.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1968 bin.exe 1968 bin.exe 1968 bin.exe 1968 bin.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5108 wrote to memory of 756 5108 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe 82 PID 5108 wrote to memory of 756 5108 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe 82 PID 5108 wrote to memory of 756 5108 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe 82 PID 756 wrote to memory of 548 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 83 PID 756 wrote to memory of 548 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 83 PID 756 wrote to memory of 548 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 83 PID 756 wrote to memory of 1844 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 92 PID 756 wrote to memory of 1844 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 92 PID 756 wrote to memory of 1844 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 92 PID 756 wrote to memory of 3088 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 94 PID 756 wrote to memory of 3088 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 94 PID 756 wrote to memory of 3088 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 94 PID 756 wrote to memory of 1968 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 98 PID 756 wrote to memory of 1968 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 98 PID 756 wrote to memory of 1968 756 f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe"C:\Users\Admin\AppData\Local\Temp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\is-BUC6B.tmp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp"C:\Users\Admin\AppData\Local\Temp\is-BUC6B.tmp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp" /SL5="$70116,1074986,831488,C:\Users\Admin\AppData\Local\Temp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjbin.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:548
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN principal-plus /SC ONLOGON /TR "C:\ProgramData\ports-postal\bin.exe /H" /F /DELAY 0001:00 /RL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\is-P5BEF.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-P5BEF.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-P5BEF.tmp\5.14.zip" -pvkd -y -oC:\ProgramData\ports-postal3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088
-
-
C:\ProgramData\ports-postal\bin.exe"C:\ProgramData\ports-postal\bin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD52e9b855fd40c1730ead9dbe3942a8d53
SHA1406de9e251c4d61dbb89bcbb0f6d36c1f61ebcb8
SHA2567e15514285906a7092ba879dcc4db88e2f9e1356846ca983fa33d05d8b28ecb3
SHA512dd706ea30041c4bade58d8df49126c63967deed204bf76edc9e9bebd1c9736447965d5c935df9c687eed9f9fbd60fdb61349d939b78576d4d918a34036054e8f
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD59be9036404a0746236e1093079c424d6
SHA15e25f29fa44b5abf8b7868d5422f624ef3aa2e59
SHA256b36ffa5740f4949b4b6f04990285774837c12faa5a7f8fade4f8733de9805ce4
SHA5126a6ab23e3e3e16dd76a2c35cb31543dad46ac8d6427b83ab443f66feda9f794b3ca0dcf2233f10e6018c7c78cd1c7116e5289d6d31a0a05ee92da32435d0b7c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD53e33bc16823f7cbafb5a22cc36ebea71
SHA1e12172eea100020ba9108c9180a8d1a4f5dde84c
SHA256b595daa599c45d84e2548dfa1c38fecce00f57c017b031fe0c98dba93fbd38da
SHA5129024772da52e47d5524c9dca04756f205c9ad08aae3ddeeb01fd385c40e4c77561cf96d500d9cc78bd4b3213a6422ad258f952df16dc7176260c9aa28bbf825a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24E728EA67A1638D93C3A7ACDB892D04
Filesize550B
MD5227ba117b593b643e0f07b241dc945c2
SHA1abdb2dc41004769bba163d7653c90dc1c1da1eda
SHA25629005979115f7cd0fb519970defa49c8ecd37c73308b4903378faac4cb17e184
SHA51260deb59fd494f9ca2d4f5f5c60b3865d755d033ec10d58c09e44fab681a0f20737758b619f361f1dc53a8fc1f3f1e580a09f26ee5f0efe2440191329fb954090
-
Filesize
203KB
MD5b9314504e592d42cb36534415a62b3af
SHA1059d2776f68bcc4d074619a3614a163d37df8b62
SHA256c60c3a7d20b575fdeeb723e12a11c2602e73329dc413fc6d88f72e6f87e38b49
SHA512e50adb690e2f6767001031e83f40cc067c9351d466051e45a40a9e7ff49049e35609f1e70dd7bb4a4721a112479f79090decca6896deac2680e7d107e3355dae
-
C:\Users\Admin\AppData\Local\Temp\is-BUC6B.tmp\f66cce75057b8b516e1d2aa0a24f32361cdf7494ace1a6622fc96c54db38b5e2.tmp
Filesize3.0MB
MD573541c3ea8bf540604ee23cb0b93bc69
SHA131dc64100b034f0cd76edcabf01ca5ee8b552d39
SHA256172c967e2dd6b5598a36da5439f47d318a6336db1ac9de2bca33ed595fadbf70
SHA51224cdef59064274d9a6ffc1984609990aba17023064930badf0d4ecab30e53e35461e2776cbbc0681aa8947c1c704e6e875d4c8a2613f7673b1495dd35e3cd9e1
-
Filesize
3.6MB
MD522f982f6129b7e8ddc2212041530e609
SHA1bef494910b3f0e48741ae8ab7af537d15296d096
SHA256c8519331e74fb0b204c7be4033d8bf448bd6bd15f16ad420debb5e4bd4076717
SHA51228394a4d4d6c53511e07a0ce0c0fc9ffe02e0de8e5aad588b46f37c4b7d5036e804d536358ac4b7e179e25f007b65fe94d0a511d4f0a1915e0a3df52fa0eab12
-
Filesize
319KB
MD5e2956d9884022ba9337d5cf092384370
SHA17e1394579b26d65c6b7fd016e8f68aa0f06c031b
SHA256a6a7367d09e7694e34df04c0f2d0203531993cf0735b5374fbdf8c1365cce0b4
SHA512bcbece48d22d66308c96718121e0faa54ef73d992de4379388be69592eceeb2dad911a0a195216748c78780c517f8e4e23195747d94e01ecec4089d7eb3c5e0b
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c