Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
Resource
win7-20240903-en
General
-
Target
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
-
Size
330KB
-
MD5
a7fca01381772be5f88e3f4c59bb488a
-
SHA1
934e2a8dd0bf5fa61aa8809d73d7b46628812eea
-
SHA256
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1
-
SHA512
d8def90bc95351068860d6cff6f0ce7a2857be86202980f0714d46d4cdf15901828ce49ea365e9990a609e12a82d5afa7ae2fd4cec7f74b39c51e384661dc282
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVq:vHW138/iXWlK885rKlGSekcj66ciEq
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
pid Process 1940 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2600 utxyi.exe 2868 jazuc.exe -
Loads dropped DLL 2 IoCs
pid Process 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 2600 utxyi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utxyi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jazuc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe 2868 jazuc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 780 wrote to memory of 2600 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 31 PID 780 wrote to memory of 2600 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 31 PID 780 wrote to memory of 2600 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 31 PID 780 wrote to memory of 2600 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 31 PID 780 wrote to memory of 1940 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 32 PID 780 wrote to memory of 1940 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 32 PID 780 wrote to memory of 1940 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 32 PID 780 wrote to memory of 1940 780 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 32 PID 2600 wrote to memory of 2868 2600 utxyi.exe 35 PID 2600 wrote to memory of 2868 2600 utxyi.exe 35 PID 2600 wrote to memory of 2868 2600 utxyi.exe 35 PID 2600 wrote to memory of 2868 2600 utxyi.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\utxyi.exe"C:\Users\Admin\AppData\Local\Temp\utxyi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\jazuc.exe"C:\Users\Admin\AppData\Local\Temp\jazuc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5163be0232365d7ce68accdc4efeda98e
SHA1065d2753d718c85c30f13d29311e5f9f7d469e08
SHA2565a99ed92dbb374a881252e400b55fc2e24a911772061d55953b45e07ce77e26b
SHA5123f2d8da1b5c58a7e5832d1c1f2a25886365f83966aeb3e6230cabf42032e9067df5f6f4c08c4b7dd44406fc147cc5e9cd40906b546220568b579d1ef4d16ca18
-
Filesize
512B
MD58ba13cd7181d55857793d92ec9e69e93
SHA115a1b9827cc04cf9e8725daf4ca76e2018972735
SHA25625b0501785f4da7094df2096abdc1c4b1257bc24122cc21ae7646000f0123dbb
SHA51240c6e4e6b1d75a606da5744c0b2f63b879ab8ca1f1d20ac816c0e1e43e933034ef8c8cc9aee64b00e9b229e4c88cf51288569dc3492b9c089e596e9a396599ee
-
Filesize
172KB
MD509153c73b3e64028d9d4beb1a4e67d11
SHA13982a8aacaf77f2a12dd371705a13f9f5eaf9842
SHA2563682c4990f54259fff5b13379de6592fc9e23c0b114a4f141745cef375a9223c
SHA512cab6be10b016f5f99e60c306a2b15457bde0b58ddce6517ef82a3453b87fe4fa9d902bcad8825e3dd8fc529d2c3c303ba3a8f74ee75e46cbadc80dfe8c61d75c
-
Filesize
330KB
MD5a752dab281bbaceca8e71a209827ec17
SHA1eff7f16b8277bf859c91d12b5a45976422d1b4bd
SHA25608cad97c768f32592bee54e14a78d7eb199f18389e6d67abd92bac016a7269dc
SHA5128f2251cbcacecbb8c12f898f1470e2c897fb4c5055384908403227c823b42efd3deff99d35a53c5542bb3c911c6131e463f2f47ce285c8133d789f2764b5016b