Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2024, 20:04

General

  • Target

    2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe

  • Size

    208KB

  • MD5

    7197ba91384e104db3a1197a99367abe

  • SHA1

    e9ccf1b601fa65ffbdc206f3de792c7b40e6f1cb

  • SHA256

    2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3

  • SHA512

    5d7019810d1a1f8369bf7b22e1f2490392cfc83d9f75ccda613ed5862e4f58b2d839f5f73c220ad81a554b29d81da74ae4ecc41499b31b53efd8891909ed33d8

  • SSDEEP

    3072:cFlQ93zbLRqwsJkbiwIhq+hbUt0eDIdsMTGuKXO4hWczhyiKhIDnLp4NLthEjQT7:ck9jb8wsJScXbUdIWMKZ31B+untQEjM

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system32\MIKDGBU.exe.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\windows\SysWOW64\MIKDGBU.exe
        C:\windows\system32\MIKDGBU.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MIKDGBU.exe.bat

    Filesize

    78B

    MD5

    e6ba86670d38d86cb48e46df760a4b30

    SHA1

    f18487edd6d2017b224409ab2fabc352d7faa3f3

    SHA256

    d56bf1200f38ee5b74f373dac4357c8504958a26a9ec184f8107f6552025e6c9

    SHA512

    32d16b60bd9bb00223589a7be69ec9fc107c17c82a3e3bdec01226c1003079eefd39a43ef2ac250f4b4d0cc5348a8b6b3241eee2c134075eefdc35d128789915

  • \Windows\SysWOW64\MIKDGBU.exe

    Filesize

    208KB

    MD5

    452a433ef00e3a5d62c0d85b68bbe5f2

    SHA1

    9aae5011fdc21a74dd33a3e2978806e75e5e84fc

    SHA256

    910745039da0e75ebca4826b21acabf8be93e2a0056f9e10b626fe547e0de016

    SHA512

    9911cccc3c54c54ec526549ca5c231d4ad895b4c9a80b737c84ebdf3f46e58636fd0e30938d61f21bc093928ab4c9e7e6c89b5b668c6510ccf77fcbcf257a7dd

  • memory/1296-18-0x0000000000170000-0x00000000001A8000-memory.dmp

    Filesize

    224KB

  • memory/1296-17-0x0000000000170000-0x00000000001A8000-memory.dmp

    Filesize

    224KB

  • memory/1820-0-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1820-12-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2220-20-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2220-21-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB