Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/10/2024, 17:46
Behavioral task
behavioral1
Sample
441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe
Resource
win10v2004-20241007-en
General
-
Target
441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe
-
Size
41KB
-
MD5
22d231a5ae2ba868085c611283bddd20
-
SHA1
1a2ee6b3b62e32b1f7e0308866696066e09bada7
-
SHA256
441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83
-
SHA512
e0b581c28047fc535cb315fc7c52fb682d5058c5433a40567c32932e989bb479055f97f877fa7badb32b4c2340bece829ef2a472cec85a45cb9048fc941c3382
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Detects MyDoom family 7 IoCs
resource yara_rule behavioral1/memory/2232-17-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-42-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-44-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-63-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-67-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-69-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2232-74-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 2568 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/2232-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2232-4-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x000700000001925e-7.dat upx behavioral1/memory/2568-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-9-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2568-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2568-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2568-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2568-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2568-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-42-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-44-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0004000000004ed7-50.dat upx behavioral1/memory/2232-63-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-64-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-67-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-68-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-69-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-70-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2232-74-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2568-75-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe File opened for modification C:\Windows\java.exe 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe File created C:\Windows\java.exe 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2568 2232 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe 31 PID 2232 wrote to memory of 2568 2232 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe 31 PID 2232 wrote to memory of 2568 2232 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe 31 PID 2232 wrote to memory of 2568 2232 441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe"C:\Users\Admin\AppData\Local\Temp\441540fdc7f1de6d08a883974e129f33ec703c2ca2138f8245fb211160b95a83N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5802b66e0f81249d322fa5f582b3a025c
SHA19bdd0f762cde71ec3549d803760f065a297a2eb1
SHA2565f56dca7c5d6dc2dd3052f6186d9c935d9212386210dd6ad042bbbd7c1bbc844
SHA512ac75415e0035a7c37b9edafe085693745d0a35bc0ea9d090b3f0b32d43919dae4784436fe6faf3ae76b75e5cfd44f6b3cce8ab43ace9c4729b5b369c2842e67a
-
Filesize
192B
MD5994d1210b4e394a60601fc15179b13e3
SHA155e98b0cb28f43511c0a47959c0733f99d88d111
SHA256f398e652ea8ccaf1eeca615d563205b85f34ad1952b38bd435383bce06d36bcf
SHA5123572698fabdb087fc80e040a0734615615152c2091c7f81cd98421a8684e8f8324fda66a4bd336362a4b46ac1ac65cbda087a9e979208109264ddde4c4246466
-
Filesize
192B
MD56fd8259d685e33decf55bd13802f320e
SHA13d65a38ee03d3a7f52f583f025eaa13107053464
SHA2568d2aa067f5c7a051ff9d163d79e1ffa6daa0070f73332c61a11212643e7c9c13
SHA5125dbc8937e455b355d11d544dc6dc0c772a59bbfd7af9baeeee1dbf0f9fafad72a3d5d39a4720161328109f8bdb61d7221941906d1c01084185ac0a395184bbf2
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2