Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 05:55

General

  • Target

    d0eb64c30dd33e549b7ee977155b74831a637ea97114e37768e24a96e0be6188.exe

  • Size

    29KB

  • MD5

    0fd41c6f9ad3a2dafafc0f7d57fc8b7c

  • SHA1

    dfaa140936e82ca18d5fb81580f0aae3df5750ca

  • SHA256

    d0eb64c30dd33e549b7ee977155b74831a637ea97114e37768e24a96e0be6188

  • SHA512

    4e9ab365ca521296033d910e761aacff12ccfbc46a2aa52f630be88e58316987543e6a8a422d1d621153340fa9e09c7f2c5d9c4f6db4d1b40c28f1dbcc5b0e9b

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/T:AEwVs+0jNDY1qi/qr

Malware Config

Signatures

  • Detects MyDoom family 8 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0eb64c30dd33e549b7ee977155b74831a637ea97114e37768e24a96e0be6188.exe
    "C:\Users\Admin\AppData\Local\Temp\d0eb64c30dd33e549b7ee977155b74831a637ea97114e37768e24a96e0be6188.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa84edd0c699443df762febf1803fccd

    SHA1

    8b344357d48f0c067d99a8bb7bff5195d926452a

    SHA256

    c43b8ff4c9635b28ac99d42b2448fc67124ad150f7534b1101bcd71bfa49a2fc

    SHA512

    d22ad18cfd2a6fbd80b80b745d4f37b7ced94fb0bc864f427664f09186c619df0b2092ec43abca749493c5f65fd528d9a4e855813e6ded846ec93f6d5d3736e9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ffdbe7adf516f02c89572c5abfb2c47a

    SHA1

    d66a87a0d646e05d0c0c219ed9730ad0e6ad7b11

    SHA256

    d90e1b7cfe932b94fbac2214a252c3baa1010c3e9ccbcb9fa47b074372971afc

    SHA512

    102e301c8495ef6d58d37b7b09f3ab58b6f6dfb4715ecbe765de74d7588436fdeac76d36a90c811cd74309571466627aa77324fffd21bc86c9d766fa2382084c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bb632ee73f06edff7c81fa3269e9e4d9

    SHA1

    03df9b92178d6189d3be6e00448947df21bc42b2

    SHA256

    198ffac8ff2c7124c5721d0e4cb77b15b546febb6323403aa913f5d2e255e0b2

    SHA512

    e912ac5e6416209de19089f0c13deac8df3ff985d6dcdefcf4e85575ff49e07c63cf9aa9ed1f51301143b6eb56d3b12336871bd4f07eb50cc9674c30837932da

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\search[2].htm

    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Temp\Cab14A2.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar163C.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\bcepeU.log

    Filesize

    320B

    MD5

    eaccb4789db63386d9761bb5095fabef

    SHA1

    6287d94403384ca1225b3e7f505e77e242aac85f

    SHA256

    f611b6582fb09ac885fcdddbb50816a53937ecab4f5902782e536018c0430f89

    SHA512

    62f63d395d6cc6f7269eba1895c326b7295762a105867d07bbb0785c0b0d3d844496b5fb95568a750a87e3af08d5f01392e52aaf1f7dc343a5a275c3466d8998

  • C:\Users\Admin\AppData\Local\Temp\tmpFF0A.tmp

    Filesize

    29KB

    MD5

    f99f6af0087ba400155428fa5c8327c0

    SHA1

    9b97583ca9e76ba98daa6194f88bf0d8c49ab8c2

    SHA256

    81b02cee5e951f765327d38866622bcb3da14507cde39bc0e513fb4ad8a1aaf4

    SHA512

    20f4895481c21af4a5e250f163070e0ed3306e44c8c4e82eae9b64265bd44dce30a210457fcd6245c2959d3dbbf02aa6f5e9c0e88bcdae75ff16c6b511be75eb

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    e07bdeb0d04205e42f1340e38d63fdf7

    SHA1

    af00327606b183247da16618fa1c0848c2733f50

    SHA256

    e47f932b1043563057ee356a8a0d95b61f02955d3515120f6b1ad6e271e24e9f

    SHA512

    6211d7f88e19853a8a8c1a9f6fd22a6dbc638c925491a0759af6b35ea6389861607aafeff4556d2652d3778da377a0aa33f280d58109c80ea59e6d41f16c0578

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    352B

    MD5

    f848fd83bc1284e4db2c9ac6390d03f1

    SHA1

    5a3056834e28787312f760f78c1500316e202aa7

    SHA256

    774b9c13be8e9bbb4505899ee5b5d2c5fca61762af1082488826576f598c4d9c

    SHA512

    e550ce7a2fbfec21eb77e535bd71a1df92cc691835cf8a70d97acf1c0939ec46b6841cbe4b0fc2c47ec801bd3537be87adb65d45fa98deff735649e35b4dc41c

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2572-84-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-105-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-9-0x0000000000220000-0x0000000000228000-memory.dmp

    Filesize

    32KB

  • memory/2572-4-0x0000000000220000-0x0000000000228000-memory.dmp

    Filesize

    32KB

  • memory/2572-43-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-16-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-17-0x0000000000220000-0x0000000000228000-memory.dmp

    Filesize

    32KB

  • memory/2572-41-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-67-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-0-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-72-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2572-74-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

  • memory/2588-25-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-19-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-80-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-68-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-85-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-87-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-73-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-106-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-75-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-20-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-30-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-32-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-37-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-44-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2588-42-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB