Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2024, 12:07

General

  • Target

    1b1e615fd82a4f87b14a4ab9109a99a9c32c454181855c5240abcb0088a0d4cbN.exe

  • Size

    29KB

  • MD5

    c3460a3657187e902b721cd7a7a83d80

  • SHA1

    c088caadf454c94dba8dbbad871dfa11409fdce2

  • SHA256

    1b1e615fd82a4f87b14a4ab9109a99a9c32c454181855c5240abcb0088a0d4cb

  • SHA512

    e9951d1d524d9d0658e9283a9bc0fd0c601d9084b2284b4a78ea3697fec36105b58454f44d8a784879f759686710b96b713277d2a5ad6d433013a89e56d1a9c2

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/VAs:AEwVs+0jNDY1qi/q99

Malware Config

Signatures

  • Detects MyDoom family 7 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b1e615fd82a4f87b14a4ab9109a99a9c32c454181855c5240abcb0088a0d4cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\1b1e615fd82a4f87b14a4ab9109a99a9c32c454181855c5240abcb0088a0d4cbN.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAE0E.tmp

    Filesize

    29KB

    MD5

    379d73dd4db7dd4c9a80f42eef44350b

    SHA1

    cd216d0f89e0d21fa5059081b443c4844aed62d5

    SHA256

    de6654848acb91b849e811917871b77a9a6d93c0f959fae7b0cda548e6ef4ce7

    SHA512

    71d2743f80b2df7b1484c89fd82df0e083e724f62c5433db021dd658b972d7d814226ce793f03dc10e49e3c0ba737ccdcb6974cfcc432df05cd359f53d07dd74

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    9fb1120861c4cc6bc27d8cc3fc0f650b

    SHA1

    dbe8b819d2c585dc7129627c7906e60326e20b98

    SHA256

    830865ce8a699c50a01bc86d2e264b3ca812269f9e999f3878118eb7e32912d5

    SHA512

    4945eeea37382682d12dedd9436cc927f44d42635552d7be3d970e22b609862e9b1768fb2838149302c97911341e5a73ae164684772997b8f2f90a0ccdcc5149

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2520-36-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-16-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-17-0x0000000000220000-0x0000000000228000-memory.dmp

    Filesize

    32KB

  • memory/2520-79-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-72-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-67-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-63-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2520-4-0x0000000000220000-0x0000000000228000-memory.dmp

    Filesize

    32KB

  • memory/2520-2-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/3068-10-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-42-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-37-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-32-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-30-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-64-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-25-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-68-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-20-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-73-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-75-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-19-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3068-80-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB