Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
Resource
win7-20240903-en
General
-
Target
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
-
Size
331KB
-
MD5
f0dd240cd2f939bac9a5cdeeaef5bd0f
-
SHA1
2e5da045a18a8fc6e5c511161b81e677f29b81c0
-
SHA256
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6
-
SHA512
967b5ef74ea32b59dedbb1dc522157b80933585304f2c1f99e0605800599ec500d6325d6d1643566d7488d925756d2ffc79e4c851da3fd2df33b7f00e08ed09c
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciY
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2492 ijigx.exe 768 fubys.exe -
Loads dropped DLL 2 IoCs
pid Process 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 2492 ijigx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fubys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijigx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe 768 fubys.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2492 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 30 PID 2972 wrote to memory of 2492 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 30 PID 2972 wrote to memory of 2492 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 30 PID 2972 wrote to memory of 2492 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 30 PID 2972 wrote to memory of 2768 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 31 PID 2972 wrote to memory of 2768 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 31 PID 2972 wrote to memory of 2768 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 31 PID 2972 wrote to memory of 2768 2972 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 31 PID 2492 wrote to memory of 768 2492 ijigx.exe 34 PID 2492 wrote to memory of 768 2492 ijigx.exe 34 PID 2492 wrote to memory of 768 2492 ijigx.exe 34 PID 2492 wrote to memory of 768 2492 ijigx.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\ijigx.exe"C:\Users\Admin\AppData\Local\Temp\ijigx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\fubys.exe"C:\Users\Admin\AppData\Local\Temp\fubys.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58cd3cff4178cc59d085a3ecf5839d45d
SHA1bd0d82aa555476a6a8a90c114672006cb938cf4a
SHA256ab7d42261a64ff50596b350a591c5365158319d569c6d29093ec63ff149c3010
SHA51226d222a62bf883fbab1bac9b4dab8c019d313b76a6601c9549a0d6f3cb8c41db46ba5eac7d57709290244672561f64c46ab479be170209e67a035c686f311efb
-
Filesize
512B
MD53155313fe0802c1b34d4e782e3f64316
SHA1d0cfbc5446512be926e3e478b2592598b9d6cddb
SHA256a8e36a78d4bf79d7e667934732727b8670fb410645c94ac658afa761e4581588
SHA5128422e091f35dbd0e5cea7beb0b48047727710dc95b976bc049417195f45ead951079dd29abad0694c8f763362d2adc1da0bec34f670f461636fb10488dda6541
-
Filesize
172KB
MD5f5572f78aff8f4608dbe920c436fde1a
SHA111e28e5b890462be4c2078e45922e27ca02b47bc
SHA2567dd4ed74a74882ec7ab971373924e1d247437ffe6d0ffeb6d552a0be88f9eb73
SHA5129bfbd5733165689fd3a680a8908f96394a503735550dc0aebd99779a9e0d02e94e84e93bed46e64200002a5e81753f7e13ef2e59a6447b95fbd87b41f808040b
-
Filesize
331KB
MD5803a5f881408751dff093a4154457421
SHA1d3d55dec319d7a82fcf77d1321bc33206c3b77cc
SHA25607179c6d1c27c67fc72071237100ff31845577744cad6f8fafe15b60f32699d4
SHA5127f5252363bc351e851c7ab9d3d5ca2d01c8ebfdf1fd46388b1ce682319233d30f916a27dde41a243c4676f2fcfb40cb109a649990af49f828bcf38e58b62ae82