Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2024, 21:49

General

  • Target

    6a245b74eb7e927298239337e3ff84f6d2eef882104da9854e0911f7d3953f47.exe

  • Size

    29KB

  • MD5

    763dd448904dca6e795e35d389422299

  • SHA1

    46e12617f954cb97bb081e32bc54e551886a1485

  • SHA256

    6a245b74eb7e927298239337e3ff84f6d2eef882104da9854e0911f7d3953f47

  • SHA512

    050a596a40858018c37f5fe13d5a641a074888e7a538b96510e48c5edd55508b0fd2c12ce9161db611105999cd5dd1827dd77288e461cc08bdc7ed29a2979e4f

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Q:AEwVs+0jNDY1qi/q4

Malware Config

Signatures

  • Detects MyDoom family 9 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a245b74eb7e927298239337e3ff84f6d2eef882104da9854e0911f7d3953f47.exe
    "C:\Users\Admin\AppData\Local\Temp\6a245b74eb7e927298239337e3ff84f6d2eef882104da9854e0911f7d3953f47.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad2a611dd5dc3a1ed7990bc88457077d

    SHA1

    71a4874fc2bede0a65cddf1201dcc2bd635ff375

    SHA256

    eda0227910d331703c5b74278d811c1466e4470436cab832bb974792dbbafc39

    SHA512

    c92dd758ed3a59cbc4465643d8300aee2ed79ec8fc22bbf3ce182934309885e8ceddcd77015dde86453170e652bf137a291577a44c1ef1d43edf758cb13949ef

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\O41851V8.htm

    Filesize

    153KB

    MD5

    3501bc5743a8000ee85c9287c5c96280

    SHA1

    497b6d03b44ae952d129dac6dd82544064bae25c

    SHA256

    cc90ab300d9c5d8fc948f2b66ae6b5487f7667cff3081db66207f1a94eeb9f5d

    SHA512

    f6fefb7d8e3245c9e0f809939a614b2a4a65b608e4485e87caf5f9c9ddbc393d38ef5a1de70be083dffc70009a63eb9075e505e26f33ef3398b346978bb86c32

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\search[1].htm

    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\ESCQDT29.htm

    Filesize

    153KB

    MD5

    b9ab5776cfbac7eec664f1a45e48708f

    SHA1

    276098d45b1e82fbd55b7fc4792f8c9ffa6a714d

    SHA256

    eab24ca72151d9a5cbb4b441e8da466cd558269fe212f41e6727cc977956051e

    SHA512

    1644b9391b9bcb202da734257a958b1ecbe51374d2e9b4457904ad28119f12d7ed60773aa23ac5de40cd68168e995d227e28e7de8b73684cb31bf23ec70291da

  • C:\Users\Admin\AppData\Local\Temp\CabCC5C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarCCEB.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp

    Filesize

    29KB

    MD5

    c5899bf4410b4eedb439760cb661c377

    SHA1

    ffe16c206c6922507dcf254310a0a52d7a38aa75

    SHA256

    0b8f8655bca5d2bd768538715622866002b48a6f9d8d8f4a1078dc3ef36758b4

    SHA512

    2c8098c890433507cf5504d0946413e8d53950d3d4213a2297f8013190fd0448f542a096a934ff8a4d4e9cc93fa4d05f610a9f0a3e98d29bf421bfaabbd68fc5

  • C:\Users\Admin\AppData\Local\Temp\valyETpypq.log

    Filesize

    320B

    MD5

    6b4d2bac75d77f012f98f167b8932d2a

    SHA1

    42fa1c37137b04d269afa9c71110d88d8a65742f

    SHA256

    5195615b63d855aa594c11a1c7bd75c4cc6405b10d954cb8cd38ca6232bf5e48

    SHA512

    1bfd08627b47ed283bc08f27c818ed6467dc42e2246c2706864fa8bf352ab14bb786b260b4a471fb9122c17168b7fa5c318cd22c5a968d2e0f9ae625cce9d225

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    87cd91c125f556b2733c00cfb7e0e434

    SHA1

    d6bcf30bf47125c2bc30aad76a2e05dfce6885be

    SHA256

    21d1adecdfbda6987b1b49e3de8017ccb5422ac11c7041c4e8f0bb918ec346f0

    SHA512

    82f785600409a3bbec8ec462e664241f19a0f88d9378492666c21abc4d224a1cf89545655c2742465960436eedb28203d43782f3aa3cebff6dc67c173bdcab4c

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    6f390aa46ef69e847817ef1078d6d318

    SHA1

    1b72d01a67d9396d3dda0c45024ad141acc5309c

    SHA256

    4146bdc8b8dbda0f7c2c9a50a1812dc77b60cc9c2026cabbbac3449c595cc943

    SHA512

    00042e1320730e4c86827cf003bcfddb0a553aa0617b1c7a555dd904552c11813bc597689a2f066926de5d6cba989c3c2787f2a0199065d04f865f77897626aa

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2488-62-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-69-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-390-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-37-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-32-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-58-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-10-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-30-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-19-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-20-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-67-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-25-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-81-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-42-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-74-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2488-79-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2988-73-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-78-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-68-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-66-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-61-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-0-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-17-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2988-16-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-57-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-4-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2988-41-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2988-389-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB