Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 15:05

General

  • Target

    DODDSIARKAA (1).exe

  • Size

    80KB

  • MD5

    9a4e6ee4e2d0fed8328ee5b332e0163a

  • SHA1

    d9a1fd8e3ece8423665106cb4653a41fdc9c6914

  • SHA256

    a34606752b08154720964badbf9d292ea9ef11bce74be7230d5131124fcc35a7

  • SHA512

    3e520b9c622d8031594254f67d810c8f94918a5fa26d92c2ae7a073f27beb97868d5db89df0940f8054c1b12eed9b83148a495011ab06774777ad48158e2167e

  • SSDEEP

    1536:x8KU95KLwKNw0KPwQrDBt/mBd/BVafU/oARs:x8n95KLwKwPwQrWdpofU/oSs

Malware Config

Signatures

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DODDSIARKAA (1).exe
    "C:\Users\Admin\AppData\Local\Temp\DODDSIARKAA (1).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:512
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wxy" mkdir "C:\Users\Admin\AppData\Local\Temp\wxy"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wxy
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\wxy
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is64.bat

    Filesize

    181B

    MD5

    225edee1d46e0a80610db26b275d72fb

    SHA1

    ce206abf11aaf19278b72f5021cc64b1b427b7e8

    SHA256

    e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

    SHA512

    4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

  • C:\Users\Admin\AppData\Local\Temp\is64.txt

    Filesize

    3B

    MD5

    a5ea0ad9260b1550a14cc58d2c39b03d

    SHA1

    f0aedf295071ed34ab8c6a7692223d22b6a19841

    SHA256

    f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

    SHA512

    7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74