Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
Resource
win10v2004-20241007-en
General
-
Target
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
-
Size
208KB
-
MD5
7197ba91384e104db3a1197a99367abe
-
SHA1
e9ccf1b601fa65ffbdc206f3de792c7b40e6f1cb
-
SHA256
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3
-
SHA512
5d7019810d1a1f8369bf7b22e1f2490392cfc83d9f75ccda613ed5862e4f58b2d839f5f73c220ad81a554b29d81da74ae4ecc41499b31b53efd8891909ed33d8
-
SSDEEP
3072:cFlQ93zbLRqwsJkbiwIhq+hbUt0eDIdsMTGuKXO4hWczhyiKhIDnLp4NLthEjQT7:ck9jb8wsJScXbUdIWMKZ31B+untQEjM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2220 MIKDGBU.exe -
Loads dropped DLL 2 IoCs
pid Process 1296 cmd.exe 1296 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\MIKDGBU.exe 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe File opened for modification C:\windows\SysWOW64\MIKDGBU.exe 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe File created C:\windows\SysWOW64\MIKDGBU.exe.bat 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MIKDGBU.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 2220 MIKDGBU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 2220 MIKDGBU.exe 2220 MIKDGBU.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1296 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 28 PID 1820 wrote to memory of 1296 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 28 PID 1820 wrote to memory of 1296 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 28 PID 1820 wrote to memory of 1296 1820 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 28 PID 1296 wrote to memory of 2220 1296 cmd.exe 30 PID 1296 wrote to memory of 2220 1296 cmd.exe 30 PID 1296 wrote to memory of 2220 1296 cmd.exe 30 PID 1296 wrote to memory of 2220 1296 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe"C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\MIKDGBU.exe.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\windows\SysWOW64\MIKDGBU.exeC:\windows\system32\MIKDGBU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78B
MD5e6ba86670d38d86cb48e46df760a4b30
SHA1f18487edd6d2017b224409ab2fabc352d7faa3f3
SHA256d56bf1200f38ee5b74f373dac4357c8504958a26a9ec184f8107f6552025e6c9
SHA51232d16b60bd9bb00223589a7be69ec9fc107c17c82a3e3bdec01226c1003079eefd39a43ef2ac250f4b4d0cc5348a8b6b3241eee2c134075eefdc35d128789915
-
Filesize
208KB
MD5452a433ef00e3a5d62c0d85b68bbe5f2
SHA19aae5011fdc21a74dd33a3e2978806e75e5e84fc
SHA256910745039da0e75ebca4826b21acabf8be93e2a0056f9e10b626fe547e0de016
SHA5129911cccc3c54c54ec526549ca5c231d4ad895b4c9a80b737c84ebdf3f46e58636fd0e30938d61f21bc093928ab4c9e7e6c89b5b668c6510ccf77fcbcf257a7dd