Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
DODDSIARKAA (1).exe
Resource
win10v2004-20241007-en
General
-
Target
DODDSIARKAA (1).exe
-
Size
80KB
-
MD5
9a4e6ee4e2d0fed8328ee5b332e0163a
-
SHA1
d9a1fd8e3ece8423665106cb4653a41fdc9c6914
-
SHA256
a34606752b08154720964badbf9d292ea9ef11bce74be7230d5131124fcc35a7
-
SHA512
3e520b9c622d8031594254f67d810c8f94918a5fa26d92c2ae7a073f27beb97868d5db89df0940f8054c1b12eed9b83148a495011ab06774777ad48158e2167e
-
SSDEEP
1536:x8KU95KLwKNw0KPwQrDBt/mBd/BVafU/oARs:x8n95KLwKwPwQrWdpofU/oSs
Malware Config
Signatures
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 3360 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DODDSIARKAA (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 5104 wrote to memory of 512 5104 DODDSIARKAA (1).exe 85 PID 5104 wrote to memory of 512 5104 DODDSIARKAA (1).exe 85 PID 5104 wrote to memory of 512 5104 DODDSIARKAA (1).exe 85 PID 5104 wrote to memory of 2680 5104 DODDSIARKAA (1).exe 86 PID 5104 wrote to memory of 2680 5104 DODDSIARKAA (1).exe 86 PID 5104 wrote to memory of 2680 5104 DODDSIARKAA (1).exe 86 PID 5104 wrote to memory of 3360 5104 DODDSIARKAA (1).exe 87 PID 5104 wrote to memory of 3360 5104 DODDSIARKAA (1).exe 87 PID 5104 wrote to memory of 3360 5104 DODDSIARKAA (1).exe 87 PID 3360 wrote to memory of 1960 3360 cmd.exe 88 PID 3360 wrote to memory of 1960 3360 cmd.exe 88 PID 3360 wrote to memory of 1960 3360 cmd.exe 88 PID 5104 wrote to memory of 1108 5104 DODDSIARKAA (1).exe 89 PID 5104 wrote to memory of 1108 5104 DODDSIARKAA (1).exe 89 PID 5104 wrote to memory of 1108 5104 DODDSIARKAA (1).exe 89 PID 5104 wrote to memory of 4416 5104 DODDSIARKAA (1).exe 90 PID 5104 wrote to memory of 4416 5104 DODDSIARKAA (1).exe 90 PID 5104 wrote to memory of 4416 5104 DODDSIARKAA (1).exe 90 PID 5104 wrote to memory of 5112 5104 DODDSIARKAA (1).exe 92 PID 5104 wrote to memory of 5112 5104 DODDSIARKAA (1).exe 92 PID 5104 wrote to memory of 5112 5104 DODDSIARKAA (1).exe 92 PID 5104 wrote to memory of 2640 5104 DODDSIARKAA (1).exe 93 PID 5104 wrote to memory of 2640 5104 DODDSIARKAA (1).exe 93 PID 5104 wrote to memory of 2640 5104 DODDSIARKAA (1).exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1960 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DODDSIARKAA (1).exe"C:\Users\Admin\AppData\Local\Temp\DODDSIARKAA (1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"2⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wxy" mkdir "C:\Users\Admin\AppData\Local\Temp\wxy"2⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wxy2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wxy3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt2⤵
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat2⤵
- System Location Discovery: System Language Discovery
PID:4416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
- System Location Discovery: System Language Discovery
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74