Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2024, 11:32
Behavioral task
behavioral1
Sample
621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe
Resource
win10v2004-20241007-en
General
-
Target
621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe
-
Size
29KB
-
MD5
0fa4fbdc1354043c6dadaa8abad5d1a0
-
SHA1
e1fa8bb41e526ccd24fac28200921ffcf0018d8b
-
SHA256
621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280
-
SHA512
cbd95610543a413aeff503f450b9da67b4fa4a7d7318050482144a8392bb44e7b33994458331a2431e226fa964a58e05b8c698b2150ccff18d8b247173183822
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/2:AEwVs+0jNDY1qi/qO
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral2/memory/4332-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4332-37-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4332-39-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4332-119-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4332-151-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4332-158-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 2000 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/4332-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0008000000023caf-4.dat upx behavioral2/memory/2000-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4332-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4332-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4332-39-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000e000000023b69-50.dat upx behavioral2/memory/4332-119-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-120-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4332-151-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-152-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2000-154-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4332-158-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2000-159-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe File opened for modification C:\Windows\java.exe 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe File created C:\Windows\java.exe 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4332 wrote to memory of 2000 4332 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe 84 PID 4332 wrote to memory of 2000 4332 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe 84 PID 4332 wrote to memory of 2000 4332 621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe"C:\Users\Admin\AppData\Local\Temp\621879871fc3aa8c09c753bf191781f049a85f82d3fb7951bacb79d350ca1280N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
320B
MD5e2c0001a4228084a1dc2daa0b8af4d21
SHA1cf61a12afcc9bc82505c73b155ff15736878f2d2
SHA2569ccaf21584d059aa2c3cdf503af9018a0bc15dd93cfdc197572960113cbd3151
SHA512fdc073a15d2045909b20e4fcfb738cfee616ed6492d5d328141cd840891e4d84ffbe6d621503bfcb9dac4e912aa3779ec03640b4f9ce8a8cb36f3e02e346c195
-
Filesize
29KB
MD58c00050e795e27957d3d28df1daa8a1b
SHA183e2a49a730fc6f6caea0f191adc81fbeb98d118
SHA2568d245b5b3140624953004594a4daf862a3052d3dd1cdb39ad0bf8bc01e9ee3d6
SHA51271f183629cd5f7d5fa0301672a2e2343cc2d62d23234a8fee66a80c44560818af337391a47e6ebd16552ccdbac8775a5ac74815dfcec101230e6c13b196e11bd
-
Filesize
352B
MD5306b76aea5ceb20f6e3e689bf69ce1e2
SHA1270094eb5d8a55f20cbcba431301d869c965105e
SHA256e3b0991e6ed6ba88f16a721721057b503000756d795778539b0266cd0904953f
SHA512c919de7ef0cfbd4be42bd639c0c0837ac7dc07e7ea85ec1229009c196c94809991fc2da9460c52bc425674b60a78b589eaf3a10ee848a43b3bb9b87718461403
-
Filesize
352B
MD5cc4e3620838df65ae671634a3a5bdba4
SHA1f9c9d796970a89f22d71e11f8d39db6b2fae6178
SHA2567f445d7760fc0e7a761837373b688a699c6d86baa91dd29b813cecb4538e6d2a
SHA5121beae7733fe766dc788ac92011ecead272dab5daf93ff111f26981ca3690ca0cc049bad3172dbd8b239c9f4295964e31ba23561481a12404b200eff878edc9df
-
Filesize
352B
MD5230eb5be86b7bbdae461e93f1b0d8113
SHA1cd9c26362b11796e643108889430c1421b489aec
SHA2565910889008f0d7b88954b9bffcaf982651215059432cb6d03d9cc804577b2b39
SHA5122df24848b1f956407a2858e4a2274c5ebc1c4df1fa804b0c0c5c3538c2de14fdce1d7fc404209d0c8e8b7155767dfc65470d612fdd69a7e8c2643af542e008d5
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2